SCA: security update for org.apache.druid:druid (GHSA-w88f-4875-99c8)

critical Tenable Cloud Security Plugin ID 437297

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Apache Druid’s Kerberos authenticator uses a weak fallback secret when the
`druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this
case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random
number generator. This may allow an attacker to predict or brute force the secret used to sign
authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each
process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes
authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly
configured clusters. Users are advised to configure a strong
`druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0.
Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set
`druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services
will fail to come up if the secret is not set. (CVE-2025-59390)

See Also

https://github.com/advisories/GHSA-w88f-4875-99c8

Plugin Details

Severity: Critical

ID: 437297

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/28/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-59390

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/26/2025

Vulnerability Publication Date: 11/26/2025

Reference Information

CVE: CVE-2025-59390

cwe: CWE-338