Re: CVE-2025-27888: Apache Druid: Server-Side Request Forgery and Cross-Site Scripting

Wed, 19 Mar 2025 11:41:51 -0700 

Thanks Adarsh!

Our systems are still on v29. We do have a planned upgrade but we want
to try to protect ourselves from this as quickly as possible.

Two questions:

1) Since it looks like this is a simple one-line fix, can we consider
backporting to a few more major versions, such as v29?

2) Is there a simple pattern in HTTP requests to druid-router that
trigger this issue which we could explicitly block at a level in front
of druid-router, before we are able to upgrade to a fixed version?

On Wed, Mar 19, 2025 at 9:23 AM Adarsh Sanjeev <adarshsanj...@apache.org> wrote:
>
> Affected versions:
>
> - Apache Druid before 31.0.2
> - Apache Druid before 32.0.1
>
> Description:
>
> Severity: medium (5.8) / important
>
> Server-Side Request Forgery (SSRF), Improper Neutralization of Input During 
> Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted 
> Site ('Open Redirect') vulnerability in Apache Druid.
>
> This issue affects all previous Druid versions.
>
>
> When using the Druid management proxy, a request that has a specially crafted 
> URL could be used to redirect the request to an arbitrary server instead. 
> This has the potential for XSS or XSRF. The user is required to be 
> authenticated for this exploit. The management proxy is enabled in Druid's 
> out-of-box configuration. It may be disabled to mitigate this vulnerability. 
> If the management proxy is disabled, some web console features will not work 
> properly, but core functionality is unaffected.
>
>
> Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes 
> the issue.
>
> References:
>
> https://druid.apache.org
> https://www.cve.org/CVERecord?id=CVE-2025-27888
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org
> For additional commands, e-mail: dev-h...@druid.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org
For additional commands, e-mail: dev-h...@druid.apache.org

Reply via email to