CVE-2022-28889

MEDIUM

Apache Druid <0.23.0 - CSRF

Title source: llm

Description

In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.

References (1)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw

Scores

CVSS v3 4.3

EPSS 0.0224

EPSS Percentile 84.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-1021

Status published

Products (2)

apache/druid < 0.23.0

org.apache.druid/druid 0 - 0.23.0Maven

Published Jul 07, 2022

Tracked Since Feb 18, 2026