Recommend setting a strong passphrase for druid-pac4j auth (#17712) (#17717)

kfaraz · web-flow · commit 1d7c0cbd5a21 · 2025-02-12T11:37:40.000+05:30
diff --git a/docs/development/extensions-core/druid-pac4j.md b/docs/development/extensions-core/druid-pac4j.md
@@ -47,11 +47,17 @@ druid.auth.authenticator.jwt.type=jwt
 ### Properties
 |Property|Description|Default|required|
 |--------|---------------|-----------|-------|
-|`druid.auth.pac4j.cookiePassphrase`|passphrase for encrypting the cookies used to manage authentication session with browser. It can be provided as plaintext string or The [Password Provider](../../operations/password-provider.md).|none|Yes|
+|`druid.auth.pac4j.cookiePassphrase`|Passphrase for encrypting the cookies used to manage authentication session with browser. It can be provided as plaintext string or the (recommended) [Password Provider](../../operations/password-provider.md).|none|Yes|
 |`druid.auth.pac4j.readTimeout`|Socket connect and read timeout duration used when communicating with authentication server|PT5S|No|
 |`druid.auth.pac4j.enableCustomSslContext`|Whether to use custom SSLContext setup via [simple-client-sslcontext](simple-client-sslcontext.md) extension which must be added to extensions list when this property is set to true.|false|No|
 |`druid.auth.pac4j.oidc.clientID`|OAuth Client Application id.|none|Yes|
 |`druid.auth.pac4j.oidc.clientSecret`|OAuth Client Application secret. It can be provided as plaintext string or The [Password Provider](../../operations/password-provider.md).|none|Yes|
 |`druid.auth.pac4j.oidc.discoveryURI`|discovery URI for fetching OP metadata [see this](http://openid.net/specs/openid-connect-discovery-1_0.html).|none|Yes|
 |`druid.auth.pac4j.oidc.oidcClaim`|[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims) that will be extracted from the ID Token after validation.|name|No|
-|`druid.auth.pac4j.oidc.scope`| scope is used by an application during authentication to authorize access to a user's details                                                                                                       |`openid profile email`|No
+|`druid.auth.pac4j.oidc.scope`| scope is used by an application during authentication to authorize access to a user's details.|`openid profile email`|No|
+
+:::info
+Users must set a strong passphrase to ensure that an attacker is not able to guess it simply by brute force.
+A compromised passphrase may allow an attacker to read and manipulate session cookies.
+For more details, see [CVE-2024-45384](https://nvd.nist.gov/vuln/detail/CVE-2024-45384).
+:::
diff --git a/website/.spelling b/website/.spelling
@@ -2191,9 +2191,7 @@ regionName
 json
 metastore
 UserGroupInformation
-CVE-2019-17571
-CVE-2019-12399
-CVE-2018-17196
+CVE-2024-45384
 bin.tar.gz
 0s
 1T
