Padding Oracle vulnerability in Apache Druid extension, druid-pac4j.
This could allow an attacker to manipulate a pac4j session cookie.
This issue affects Apache Druid versions 0.18.0 through 30.0.0.
Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.
While we are not aware of a way to meaningfully exploit this flaw, we
nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue
and ensuring you have a strong
druid.auth.pac4j.cookiePassphrase as a precaution.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1 | Vendor Advisory |
http://www.openwall.com/lists/oss-security/2024/09/17/1 |
Configurations
History
21 Nov 2024, 09:37
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Oct 2024, 13:57
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-noinfo | |
References | () https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1 - Vendor Advisory | |
First Time |
Apache druid
Apache |
|
CPE | cpe:2.3:a:apache:druid:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
20 Sep 2024, 12:30
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
17 Sep 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-17 19:15
Updated : 2024-11-21 09:37
NVD link : CVE-2024-45384
Mitre link : CVE-2024-45384
CVE.ORG link : CVE-2024-45384
JSON object : View
Products Affected
apache
- druid
CWE