Apache Drill
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apache Drill.
By the Year
In 2024 there have been 1 vulnerability in Apache Drill with an average score of 8.8 out of ten. Drill did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2024 as compared to last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 1 | 8.80 |
2023 | 0 | 0.00 |
2022 | 0 | 0.00 |
2021 | 1 | 7.50 |
2020 | 1 | 5.30 |
2019 | 3 | 6.50 |
2018 | 0 | 0.00 |
It may take a day or so for new Drill vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Drill Security Vulnerabilities
XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater
CVE-2023-48362
8.8 - High
- July 24, 2024
XXE in the XML Format Plugin in Apache Drill version 1.19.0 and greater allows a user to read any file on a remote file system or execute commands via a malicious XML file. Users are recommended to upgrade to version 1.21.2, which fixes this issue.
XXE
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory
CVE-2021-36090
7.5 - High
- July 13, 2021
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Apache HttpClient versions prior to version 4.5.13 and 5.0.3
CVE-2020-13956
5.3 - Medium
- December 02, 2020
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2
CVE-2019-14439
7.5 - High
- July 30, 2019
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Marshaling, Unmarshaling
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta
CVE-2019-0201
5.9 - Medium
- May 23, 2019
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeepers getACL() command doesnt check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
AuthZ
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler
CVE-2019-10241
6.1 - Medium
- April 22, 2019
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
XSS
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0
CVE-2010-5312
6.1 - Medium
- November 24, 2014
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Jqueryui Jquery Ui or by Apache? Click the Watch button to subscribe.