The credit for finding this CVE goes to XBOW security.
On Wed, Mar 19, 2025 at 9:53 PM Adarsh Sanjeev <adarshsanj...@apache.org>
wrote:
> Affected versions:
>
> - Apache Druid before 31.0.2
> - Apache Druid before 32.0.1
>
> Description:
>
> Severity: medium (5.8) / important
>
> Server-Side Request Forgery (SSRF), Improper Neutralization of Input
> During Web Page Generation ('Cross-site Scripting'), URL Redirection to
> Untrusted Site ('Open Redirect') vulnerability in Apache Druid.
>
> This issue affects all previous Druid versions.
>
>
> When using the Druid management proxy, a request that has a specially
> crafted URL could be used to redirect the request to an arbitrary server
> instead. This has the potential for XSS or XSRF. The user is required to be
> authenticated for this exploit. The management proxy is enabled in Druid's
> out-of-box configuration. It may be disabled to mitigate this
> vulnerability. If the management proxy is disabled, some web console
> features will not work properly, but core functionality is unaffected.
>
>
> Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which
> fixes the issue.
>
> References:
>
> https://druid.apache.org
> https://www.cve.org/CVERecord?id=CVE-2025-27888
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org
> For additional commands, e-mail: dev-h...@druid.apache.org
>
>
