{"schema_version": "1.6.1", "id": "CVE-2024-45384", "summary": "Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack", "details": "Padding Oracle vulnerability in Apache Druid extension, druid-pac4j.\nThis could allow an attacker to manipulate a pac4j session cookie.\n\nThis issue affects Apache Druid versions 0.18.0 through 30.0.0.\nSince the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.\n\nWhile we are not aware of a way to meaningfully exploit this flaw, we \nnevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue\nand ensuring you have a strong \ndruid.auth.pac4j.cookiePassphrase as a precaution.\n\n", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0.18.0"}, {"last_affected": "0.18.0"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1"}]}