Description

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.

INFO

Published Date :

2024-09-17T18:36:00.411Z

Last Modified :

2025-03-14T19:45:27.172Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2024-45384 vulnerability.

Vendors Products
Apache
  • Druid
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-45384.

URL Resource
http://www.openwall.com/lists/oss-security/2024/09/17/1 cve-icon
https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact