Drill Apache Drill

Do you want an email whenever new security vulnerabilities are reported in Apache Drill?

By the Year

In 2022 there have been 0 vulnerabilities in Apache Drill . Last year Drill had 1 security vulnerability published. Right now, Drill is on track to have less security vulnerabilities in 2022 than it did last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 1 7.50
2020 1 5.30
2019 2 6.00
2018 0 0.00

It may take a day or so for new Drill vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Drill Security Vulnerabilities

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory

CVE-2021-36090 7.5 - High - July 13, 2021

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Apache HttpClient versions prior to version 4.5.13 and 5.0.3

CVE-2020-13956 5.3 - Medium - December 02, 2020

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta

CVE-2019-0201 5.9 - Medium - May 23, 2019

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeepers getACL() command doesnt check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

AuthZ

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler

CVE-2019-10241 6.1 - Medium - April 22, 2019

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

XSS

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Oracle Retail Xstore Point Of Service or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Drill
Product

subscribe