CVE-2022-28889
Clickjacking in the web console
In short
The Apache Druid web console was vulnerable to clickjacking, where attackers could trick users into clicking hidden buttons or links by overlaying the website with a transparent layer. This could lead to unauthorized actions being performed without the user's knowledge.
Technical detail
Clickjacking vulnerability in Druid versions 0.22.1 and earlier due to missing anti-clickjacking headers (X-Frame-Options and Content-Security-Policy). An attacker could host a malicious page that iframes the Druid console and overlay transparent elements to trick authenticated users into performing unintended actions. Mitigated in version 0.23.0 by implementing proper CSP headers.
Summary generated and translated by AI from the official description.
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
Affected products
Apache Software Foundation · Apache DruidWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →