Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14cDRnLTV4ajYtNnZwcs4AAXoZ
Apache Drill vulnerable to Cross-site Scripting
In Apache Drill 1.11.0 and earlier, when submitting form from Query page, users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.
Permalink: https://github.com/advisories/GHSA-xp4g-5xj6-6vprJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cDRnLTV4ajYtNnZwcs4AAXoZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-xp4g-5xj6-6vpr, CVE-2017-12630
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-12630
- https://lists.apache.org/thread.html/608658a55d09e16542db41121a0a972c97448214cdc04071fd4db923@%3Cdev.drill.apache.org%3E
- https://github.com/advisories/GHSA-xp4g-5xj6-6vpr
Affected Packages
maven:org.apache.drill:drill-common
Dependent packages: 45Dependent repositories: 23
Downloads:
Affected Version Ranges: < 1.12.0
Fixed in: 1.12.0
All affected versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0
All unaffected versions: 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.19.0, 1.20.0, 1.20.2, 1.21.0, 1.21.1