CVE-2021-44791

Summary

In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache DruidApache Druid <= 0.22.1affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Workarounds

Upgrade to Druid 0.23.0 or later.

ADP Enrichment

CVE Program Container

Additional References

References