CVE-2024-45384

MEDIUM Year: 2024
CVSS v3 Score
5.3
Medium
Weakness Type
CWE-209
View all →

Vulnerability Description

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.

Related Vulnerabilities

CVE-2013-6879

MEDIUM
CVSS:5.3(Medium)

The Mijosoft MijoSearch component 2.0.1 and earlier for Joomla! allows remote attackers to obtain sensitive information via a request to component/mijosearch/search, which reveals the installation pat...

CWE-2092013

CVE-2018-1073

MEDIUM
CVSS:5.3(Medium)

The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user account...

CWE-2092018

CVE-2018-12536

MEDIUM
CVSS:5.3(Medium)

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled...

CWE-2092018

CVE-2018-14907

MEDIUM
CVSS:5.3(Medium)

The Web server in 3CX version 15.5.8801.3 is vulnerable to Information Leakage, because of improper error handling in Stack traces, as demonstrated by discovering a full pathname.

CWE-2092018

CVE-2019-11602

MEDIUM
CVSS:5.3(Medium)

Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the...

CWE-2092019