Description
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
Remediation
References
https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw
Related Vulnerabilities
CVE-2019-10313 Vulnerability in maven package org.jenkins-ci.plugins:twitter
CVE-2016-4434 Vulnerability in maven package org.apache.tika:tika-bundle
CVE-2022-36916 Vulnerability in maven package org.jenkins-ci.plugins:google-cloud-backup
CVE-2023-40345 Vulnerability in maven package org.jenkins-ci.plugins:delphix