org.apache.druid:druid

Maven7 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting org.apache.druid:druidpage 1 of 1

CVE-2020-1958MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.17.1
2020-04-01
vulnerable: 0.17.0
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authent…
CVE-2021-25646HIGHCVSS 8.8EG 9.0✓ Fixed in 0.20.1
2021-01-29
vulnerable: 0.13.0-incubating ... 0.20.0 (14 versions)
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and e…
CVE-2021-26919HIGHCVSS 8.8EG 8.8✓ Fixed in 0.20.2
2021-03-30
vulnerable: 0.13.0-incubating ... 0.20.1 (15 versions)
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain pro…
CVE-2021-44791MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.23.0
2022-07-07
vulnerable: 0.13.0-incubating ... 0.22.1 (20 versions)
In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.
CVE-2022-28889MEDIUMCVSS 4.3EG 4.3✓ Fixed in 0.23.0
2022-07-07
vulnerable: 0.13.0-incubating ... 0.22.1 (20 versions)
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
CVE-2024-45537MEDIUMCVSS 6.5EG 6.5✓ Fixed in 30.0.1
2024-09-17
vulnerable: 0.13.0-incubating ... 30.0.0 (32 versions)
Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a…
CVE-2025-59390CRITICALCVSS 9.8EG 9.8✓ Fixed in 35.0.0
2025-11-26
vulnerable: 0.13.0-incubating ... 34.0.0 (40 versions)
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, w…

Check whether org.apache.druid:druid is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.druid:druid CVEs against the assets you own.

Start Free Scan →