Padding Oracle Vulnerability in Apache Druid's Druid-Pac4j Extension
CVE-2024-45384

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Druid
Vendor: CVE Published:; 17 September 2024

Summary

A padding oracle vulnerability exists in the druid-pac4j extension of Apache Druid, which could allow unauthorized manipulation of a pac4j session cookie. This vulnerability impacts Apache Druid versions from 0.18.0 through 30.0.0. Although this extension is optional and typically disabled by default, installations utilizing the druid-pac4j extension may be at risk. To mitigate potential threats, it is recommended to upgrade to version 30.0.1 or higher and to utilize a strong druid.auth.pac4j.cookiePassphrase for enhanced security.

Affected Version(s)

Apache Druid 0.18.0 <= 30.0.0

References

https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smv...

vendor-advisory

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 17, 2024