Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wZ3E3LWpjajUteHg2aM4AAtJY
Apache Druid before 0.23.0 vulnerable to clickjacking
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
Permalink: https://github.com/advisories/GHSA-pgq7-jcj5-xx6hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZ3E3LWpjajUteHg2aM4AAtJY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Identifiers: GHSA-pgq7-jcj5-xx6h, CVE-2022-28889
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-28889
- https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw
- https://github.com/advisories/GHSA-pgq7-jcj5-xx6h
Affected Packages
maven:org.apache.druid:druid
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: < 0.23.0
Fixed in: 0.23.0
All affected versions: 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.19.0, 0.20.0, 0.20.1, 0.20.2, 0.21.0, 0.21.1, 0.22.0, 0.22.1
All unaffected versions: 0.23.0, 24.0.0, 24.0.1, 24.0.2, 25.0.0, 26.0.0, 27.0.0, 28.0.0, 28.0.1, 29.0.0