Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Filtered by product Drill
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-10241 4 Apache, Debian, Eclipse and 1 more 7 Activemq, Drill, Debian Linux and 4 more 2022-04-22 4.3 MEDIUM 6.1 MEDIUM
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
CVE-2019-0201 5 Apache, Debian, Netapp and 2 more 11 Activemq, Drill, Zookeeper and 8 more 2022-04-19 4.3 MEDIUM 5.9 MEDIUM
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
CVE-2017-12630 1 Apache 1 Drill 2018-01-05 3.5 LOW 5.4 MEDIUM
In Apache Drill 1.11.0 and earlier when submitting form from Query page users are able to pass arbitrary script or HTML which will take effect on Profile page afterwards. Example: after submitting special script that returns cookie information from Query page, malicious user may obtain this information from Profile page afterwards.