Description
In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.
Published: 2022-07-07
Score: 6.1 Medium
EPSS: 6.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

Vendor Workaround

Upgrade to Druid 0.23.0 or later.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2022-6296 In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.
Github GHSA Github GHSA GHSA-8rmv-98m4-g5c6 Apache Druid before 0.23.0 vulnerable to reflected XSS via unescaped URL parameters
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.07586}

 epss

{'score': 0.08295}

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0591}

 epss

{'score': 0.07586}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.03466}

 epss

{'score': 0.0591}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.04024}

 epss

{'score': 0.03466}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.03531}

 epss

{'score': 0.04024}

Subscriptions

Apache Druid
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-04T04:32:13.108Z

Reserved: 2021-12-10T00:00:00.000Z

Link: CVE-2021-44791

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-07-07T19:15:07.790

Modified: 2024-11-21T06:31:33.563

Link: CVE-2021-44791

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses