Description
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
Remediation
References
https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw
Related Vulnerabilities
CVE-2021-39149 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2022-41932 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2023-25166 Vulnerability in npm package @sideway/formula
CVE-2023-27900 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-49299 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-master