CVE-2024-45384 Affecting druid package, versions <30.0.1-r0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CHAINGUARDLATEST-DRUID-8055007
- published 18 Sep 2024
- disclosed 17 Sep 2024
Introduced: 17 Sep 2024
CVE-2024-45384 Open this link in a new tabHow to fix?
Upgrade Chainguard druid to version 30.0.1-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream druid package and not the druid package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie.
This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.
While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.