CVE-2021-44791

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
6.1MEDIUM
EPSS
6.0%
top 9.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache DruidApache Druid
Timeline
PublishedJul 7
Latest updateJul 8

Description

In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

Mavenorg.apache.druid:druid< 0.23.0
NVDapache/druid0.22.1
CVEListV5apache_software_foundation/apache_druidApache Druid0.22.1

🔴Vulnerability Details

3
OSV
Apache Druid before 0.23.0 vulnerable to reflected XSS via unescaped URL parameters2022-07-08
GHSA
Apache Druid before 0.23.0 vulnerable to reflected XSS via unescaped URL parameters2022-07-08
CVEList
Reflected XSS on certain HTTP endpoints2022-07-07
CVE-2021-44791 (MEDIUM CVSS 6.1) | In Apache Druid 0.22.1 and earlier | cvebase.io