Apache Software Foundation Apache Drill vulnerabilities

CVE-2023-48362 [HIGH] CWE-611 CVE-2023-48362: XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any fi XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.

CVE-2017-12630 [MEDIUM] CWE-79 CVE-2017-12630: In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbit In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.