Description

In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.

Remediation

References

https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw

Related Vulnerabilities

CVE-2020-2204 Vulnerability in maven package org.jenkins-ci.plugins:fortify-on-demand-uploader

CVE-2020-13925 Vulnerability in maven package org.apache.kylin:kylin-server

CVE-2020-2125 Vulnerability in maven package ru.yandex.jenkins.plugins.debuilder:debian-package-builder

CVE-2023-35145 Vulnerability in maven package org.jenkins-ci.plugins:sonargraph-integration

CVE-2020-27216 Vulnerability in maven package org.eclipse.jetty:jetty-webapp

Severity

Medium

Classification

CWE-1021 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Tags

Mailing List Vendor Advisory