We did a security scan on our druid cluster which is on version 0.22.1 and found the following vulnerabilites:
-
com.google.oauth-client:google-oauth-client|1.26.0|CVE-2020-7692|CRITICAL|google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper
authorization -
net.minidev:json-smart|1.3.1|CVE-2021-27568|CRITICAL|json-smart: uncaught exception may lead to crash or information disclosure
-
org.postgresql:postgresql|42.2.14|CVE-2022-21724|CRITICAL|jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes
-
org.apache.spark:spark-core_2.11|2.4.3|CVE-2018-17190|CRITICAL|Low severity vulnerability that affects org.apache.spark:spark-core_2.10 and org.apache.spark:spark-core_2.11
Any plans on fixing these critical security vulnerabilities?
In addition there are these severe but less critical vulnerabilities:
CVE-2020-36518
CVE-2020-9492
CVE-2020-13936
CVE-2021-44878