Multiple Apple tvOS Vulnerabilities
September 20, 2024CISA Alerts of Active Exploitation of Apache HugeGraph-Server Flaw
September 20, 2024Multiple Apple tvOS Vulnerabilities
September 20, 2024CISA Alerts of Active Exploitation of Apache HugeGraph-Server Flaw
September 20, 2024Severity
Medium
Analysis Summary
CVE-2024-45537 CVSS:5.4
Apache Druid could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization validation. By sending a specially crafted JDBC connection string, an attacker could exploit this vulnerability to provide properties that are not on allow list.
CVE-2024-45384 CVSS:6.5
Apache Druid could allow a remote attacker to bypass security restrictions, caused by a flaw in the druid-pac4j extension. By utilizing padding oracle attack techniques, an attacker could exploit this vulnerability to manipulate a pac4j session cookie.
Impact
- Security Bypass
Indicators of Compromise
CVE
- CVE-2024-45537
- CVE-2024-45384
Affected Vendors
Affected Products
- Apache Druid - 30.0.0
- Apache Druid - 0.18.0
Remediation
Upgrade to the latest version of Apache, available from the Apache Website.