Cross-site Scripting (XSS) Affecting org.apache.drill.exec:drill-java-exec package, versions [,1.12.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Not Defined
EPSS
0.09% (42nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHEDRILLEXEC-32026
  • published20 Dec 2017
  • disclosed4 Sept 2017
  • creditSanjog Panda

Introduced: 4 Sep 2017

CVE-2017-12630  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade org.apache.drill.exec:drill-java-exec to version 0.12.0 or higher

Overview

org.apache.drill.exec:drill-java-exec is a distributed MPP query layer that supports SQL and alternative query languages against NoSQL and Hadoop data storage systems.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS).

In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.

Details

<>

CVSS Scores

version 3.1