CVE-2024-45537

CWE-20Improper Input Validation4 documents4 sources
Severity
6.5MEDIUM
EPSS
0.3%
top 44.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache DruidApache Software Foundation Apache Druid
Timeline
PublishedSep 17

Description

Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-cra

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDapache/druid< 30.0.1
Mavenorg.apache.druid:druid< 30.0.1

🔴Vulnerability Details

3
CVEList
Apache Druid: Users can provide MySQL JDBC properties not on allow list2024-09-17
GHSA
Apache Druid: Users can provide MySQL JDBC properties not on allow list2024-09-17
OSV
Apache Druid: Users can provide MySQL JDBC properties not on allow list2024-09-17
CVE-2024-45537 (MEDIUM CVSS 6.5) | Apache Druid allows users with cert | cvebase.io