CVE-2022-28889— Clickjacking in the web console
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-28889
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Clickjacking in the web console
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不当限制渲染UI层或帧
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Druid 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Druid是美国阿帕奇(Apache)基金会的一款使用Java语言编写的、面向列的开源分布式数据库。 Apache Druid 0.22.1版本及之前版本存在安全漏洞,该漏洞源于服务器没有设置适当的header来防止点击劫持。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid | unspecified ~ 0.22.1 | - |
II. Public POCs for CVE-2022-28889
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-28889
请登录查看更多情报信息。
- https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cwx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2022-28889
IV. Related Vulnerabilities
Same product: Apache Druid
- CVE-2026-23906
Apache Druid: Authentication Bypass via LDAP Anonymous Bind - CVE-2025-59390
Apache Druid: Kerberos authenticaton chooses a cryptographic - CVE-2025-27888
Apache Druid: Server-Side Request Forgery and Cross-Site Scr - CVE-2024-45537
Apache Druid: Users can provide MySQL JDBC properties not on - CVE-2024-45384
Apache Druid: Padding oracle in druid-pac4j extension that a
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
Same weakness: CWE-1021
- CVE-2026-3254
Improper Restriction of Rendered UI Layers or Frames in GitL - CVE-2026-2378
Address bar spoofing risk in ArcSearch on Android - CVE-2025-62328
HCL Nomad server on Domino is affected by a missing default - CVE-2025-58405
Lack of protection mechanisms against Clickjacking attacks - CVE-2026-27511
Tenda F3 Clickjacking in Web Management Interface
V. Comments for CVE-2022-28889
No comments yet