What is the severity of CVE-2024-45384?

CVE-2024-45384 is classified as a moderate severity vulnerability.

How do I fix CVE-2024-45384?

To mitigate CVE-2024-45384, upgrade the Apache Druid extension druid-pac4j to version 30.0.1 or later.

Which versions are affected by CVE-2024-45384?

CVE-2024-45384 affects Apache Druid versions from 0.18.0 to 30.0.0.

What kind of attack does CVE-2024-45384 enable?

CVE-2024-45384 allows an attacker to manipulate a pac4j session cookie, potentially compromising session security.

Vulnerability/
CVE-2024-45384

medium

5.3

CWE

347

17/9/2024

2/10/2024

CVE-2024-45384: Apache Druid: Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack

Q: Is druid-pac4j enabled by default in Apache Druid?

No, the druid-pac4j extension is optional and disabled by default in Apache Druid.

First published: Tue Sep 17 2024(Updated: )

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability. While we are not aware of a way to meaningfully exploit this flaw, we nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue and ensuring you have a strong druid.auth.pac4j.cookiePassphrase as a precaution.

Credit: security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
maven/org.apache.druid.extensions:druid-pac4j	>=0.18.0<30.0.1	30.0.1
Apache Druid	>=0.18.0<30.0.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-45384?
CVE-2024-45384 is classified as a moderate severity vulnerability.
How do I fix CVE-2024-45384?
To mitigate CVE-2024-45384, upgrade the Apache Druid extension druid-pac4j to version 30.0.1 or later.
Which versions are affected by CVE-2024-45384?
CVE-2024-45384 affects Apache Druid versions from 0.18.0 to 30.0.0.
What kind of attack does CVE-2024-45384 enable?
CVE-2024-45384 allows an attacker to manipulate a pac4j session cookie, potentially compromising session security.
Is druid-pac4j enabled by default in Apache Druid?
No, the druid-pac4j extension is optional and disabled by default in Apache Druid.

agent/title
agent/type
agent/first-publish-date
collector/oss-sec
source/oss-sec
alias/CVE-2024-45384
collector/github-advisory-latest
source/GitHub
alias/GHSA-p72w-r6fv-6g5h
agent/software-canonical-lookup
agent/references
agent/weakness
agent/description
agent/event
agent/author
collector/mitre-cve
source/MITRE
collector/nvd-cve
source/NVD
collector/github-advisory
collector/nvd-api
agent/severity
agent/last-modified-date
agent/softwarecombine
agent/tags
agent/trending
agent/source
package-manager/maven
vendor/apache
canonical/apache druid
version/apache druid/0.18.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.