CVE-2017-12630

Name of the Vulnerable Software and Affected Versions Apache Drill versions 1.11.0 and earlier

Description The issue allows users to pass arbitrary script or HTML when submitting a form from the Query page, which takes effect on the Profile page afterwards. For example, a malicious user can submit a special script that returns cookie information from the Query page and then obtain this information from the Profile page.

Recommendations For Apache Drill versions 1.11.0 and earlier, consider disabling the Query page form submission functionality until a patch is available to prevent arbitrary script or HTML injection. Restrict access to the Profile page to minimize the risk of exploitation. Avoid using the Query page to submit sensitive information until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.