CVE-2022-28889UI Misrepresentation / Clickjacking in Apache Druid

CWE-1021UI Misrepresentation / Clickjacking4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
2.2%
top 15.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache DruidApache Software Foundation Apache Druid
Timeline
PublishedJul 7
Latest updateJul 8

Description

In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDapache/druid< 0.23.0
CVEListV5apache_software_foundation/apache_druidunspecified0.22.1

🔴Vulnerability Details

3
OSV
Apache Druid before 0.23.0 vulnerable to clickjacking2022-07-08
GHSA
Apache Druid before 0.23.0 vulnerable to clickjacking2022-07-08
CVEList
Clickjacking in the web console2022-07-07
CVE-2022-28889 — UI Misrepresentation / Clickjacking | cvebase