CVE-2024-45384

Published: Sep 17, 2024

Modified: Mar 14, 2025

PUBLISHED

Description

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.

Vendor	Product	Versions
Apache Software Foundation	Apache Druid	affected `0.18.0 - <= 30.0.0`

References

https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-45384

Description

Affected Products

References