[MAVEN:GHSA-8RMV-98M4-G5C6] Apache Druid before 0.23.0 vulnerable to reflected XSS via unescaped URL parameters

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks. This issue is patched in version 0.23.0.

Package	Affected Version
pkg:maven/org.apache.druid/druid	< 0.23.0

Package	Fixed Version
pkg:maven/org.apache.druid/druid	= 0.23.0

ID: MAVEN:GHSA-8RMV-98M4-G5C6
Severity: moderate
URL: https://github.com/advisories/GHSA-8rmv-98m4-g5c6
Published: 2022-07-08T00:00:43
(2 years ago)
Modified: 2023-01-27T05:05:25
(20 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2021-44791
			https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6
			https://github.com/advisories/GHSA-8rmv-98m4-g5c6

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.druid/druid	org.apache.druid	druid	< 0.23.0
Fixed	pkg:maven/org.apache.druid/druid	org.apache.druid	druid	= 0.23.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date