Search criteria
20 vulnerabilities found for Apache Druid by Apache Software Foundation
CVE-2025-59390 (GCVE-0-2025-59390)
Vulnerability from nvd – Published: 2025-11-26 08:50 – Updated: 2025-11-26 14:59
VLAI?
Summary
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`,
which is not a crypto-graphically secure random number generator. This
may allow an attacker to predict or brute force the secret used to sign
authentication cookies, potentially enabling token forgery or
authentication bypass. Additionally, each process generates its own
fallback secret, resulting in inconsistent secrets across nodes. This
causes authentication failures in distributed or multi-broker
deployments, effectively leading to a incorrectly configured clusters. Users are
advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret`
This issue affects Apache Druid: through 34.0.0.
Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.
Severity ?
No CVSS data available.
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0 , ≤ 34.0.0
(semver)
|
Credits
Luke Smith (smithluke1966@gmail.com)
1nfocalypse
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-26T09:06:57.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/26/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T14:57:50.711443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T14:59:04.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "34.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luke Smith (smithluke1966@gmail.com)"
},
{
"lang": "en",
"type": "analyst",
"value": "1nfocalypse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eApache Druid\u2019s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret\u003ccode\u003e\u003c/code\u003e` configuration is not explicitly set. In this case, the secret is generated using \u003ccode\u003e`ThreadLocalRandom`\u003c/code\u003e,\n which is not a crypto-graphically secure random number generator. This \nmay allow an attacker to predict or brute force the secret used to sign \nauthentication cookies, potentially enabling token forgery or \nauthentication bypass. Additionally, each process generates its own \nfallback secret, resulting in inconsistent secrets across nodes. This \ncauses authentication failures in distributed or multi-broker \ndeployments, effectively leading to a incorrectly configured clusters. Users are \nadvised to configure a strong\u0026nbsp;\u003ccode\u003e`druid.auth.authenticator.kerberos.cookieSignatureSecret`\u003c/code\u003e\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Druid: through 34.0.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the\u0026nbsp;Kerberos authenticator. Services will fail to come up if the secret is not set.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Apache Druid\u2019s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`,\n which is not a crypto-graphically secure random number generator. This \nmay allow an attacker to predict or brute force the secret used to sign \nauthentication cookies, potentially enabling token forgery or \nauthentication bypass. Additionally, each process generates its own \nfallback secret, resulting in inconsistent secrets across nodes. This \ncauses authentication failures in distributed or multi-broker \ndeployments, effectively leading to a incorrectly configured clusters. Users are \nadvised to configure a strong\u00a0`druid.auth.authenticator.kerberos.cookieSignatureSecret`\n\n\n\nThis issue affects Apache Druid: through 34.0.0.\n\nUsers are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the\u00a0Kerberos authenticator. Services will fail to come up if the secret is not set."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T08:50:07.322Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/jwjltllnntgj1sb9wzsjmvwm9f8rlhg8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59390",
"datePublished": "2025-11-26T08:50:07.322Z",
"dateReserved": "2025-09-15T10:03:37.911Z",
"dateUpdated": "2025-11-26T14:59:04.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27888 (GCVE-0-2025-27888)
Vulnerability from nvd – Published: 2025-03-20 11:29 – Updated: 2025-03-25 15:18
VLAI?
Summary
Severity: medium (5.8) / important
Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid.
This issue affects all previous Druid versions.
When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid's out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.
Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0 , < 31.0.2
(semver)
Affected: 32.0.0 (semver) |
Credits
XBOW
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-03-20T12:05:06.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/19/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T13:05:59.398503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T13:06:26.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.druid:druid",
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "31.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "32.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "XBOW"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSeverity: medium (5.8) / important\u003c/p\u003e\u003cp\u003eServer-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027),\u0026nbsp;URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Apache Druid.\u003c/p\u003e\u003cp\u003eThis issue affects all previous Druid versions.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eWhen using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid\u0027s out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Severity: medium (5.8) / important\n\nServer-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027),\u00a0URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Apache Druid.\n\nThis issue affects all previous Druid versions.\n\n\nWhen using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid\u0027s out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.\n\n\nUsers are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T15:18:04.929Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/c0qo989pwtrqkjv6xfr0c30dnjq8vf39"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Druid: Server-Side Request Forgery and Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-27888",
"datePublished": "2025-03-20T11:29:00.730Z",
"dateReserved": "2025-03-10T08:39:31.249Z",
"dateUpdated": "2025-03-25T15:18:04.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45537 (GCVE-0-2024-45537)
Vulnerability from nvd – Published: 2024-09-17 18:37 – Updated: 2025-03-14 15:09
VLAI?
Summary
Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list.
Users without the permission to configure JDBC connections are not able to exploit this vulnerability.
CVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2.
This issue is fixed in Apache Druid 30.0.1.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0 , ≤ 30.0.0
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T15:05:57.004598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T15:09:00.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.druid.extensions:druid-lookups-cached-global",
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "30.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eApache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eUsers without the permission to configure JDBC connections are not able to exploit this vulnerability.\u003cbr\u003eCVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2.\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThis issue is fixed in Apache Druid 30.0.1.\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list.\n\nUsers without the permission to configure JDBC connections are not able to exploit this vulnerability.\nCVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2.\n\nThis issue is fixed in Apache Druid 30.0.1."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T13:52:22.672Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2ovx1t77y6tlkhk5b42clp4vwo4c8cjv"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Druid: Users can provide MySQL JDBC properties not on allow list",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45537",
"datePublished": "2024-09-17T18:37:49.823Z",
"dateReserved": "2024-09-02T07:13:35.647Z",
"dateUpdated": "2025-03-14T15:09:00.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45384 (GCVE-0-2024-45384)
Vulnerability from nvd – Published: 2024-09-17 18:36 – Updated: 2025-03-14 19:45
VLAI?
Summary
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j.
This could allow an attacker to manipulate a pac4j session cookie.
This issue affects Apache Druid versions 0.18.0 through 30.0.0.
Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.
While we are not aware of a way to meaningfully exploit this flaw, we
nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue
and ensuring you have a strong
druid.auth.pac4j.cookiePassphrase as a precaution.
Severity ?
No CVSS data available.
CWE
- Padding Oracle
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0.18.0 , ≤ 30.0.0
(semver)
|
Credits
mr-n30
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-17T21:02:30.856Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/17/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T15:06:56.610669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T19:45:27.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.druid.extensions:druid-pac4j",
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "30.0.0",
"status": "affected",
"version": "0.18.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mr-n30"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePadding Oracle vulnerability in Apache Druid extension, druid-pac4j.\u003cbr\u003eThis could allow an attacker to manipulate a pac4j session cookie.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Druid versions 0.18.0 through 30.0.0.\u003cbr\u003eSince the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cbr\u003eWhile we are not aware of a way to meaningfully exploit this flaw, we \nnevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue\u003cbr\u003eand ensuring you have a strong \ndruid.auth.pac4j.cookiePassphrase as a precaution.\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Padding Oracle vulnerability in Apache Druid extension, druid-pac4j.\nThis could allow an attacker to manipulate a pac4j session cookie.\n\nThis issue affects Apache Druid versions 0.18.0 through 30.0.0.\nSince the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.\n\nWhile we are not aware of a way to meaningfully exploit this flaw, we \nnevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue\nand ensuring you have a strong \ndruid.auth.pac4j.cookiePassphrase as a precaution."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Padding Oracle",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T18:36:00.411Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Druid: Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45384",
"datePublished": "2024-09-17T18:36:00.411Z",
"dateReserved": "2024-08-28T03:14:12.183Z",
"dateUpdated": "2025-03-14T19:45:27.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28889 (GCVE-0-2022-28889)
Vulnerability from nvd – Published: 2022-07-07 18:35 – Updated: 2024-08-03 06:10
VLAI?
Summary
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
Severity ?
No CVSS data available.
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
unspecified , ≤ 0.22.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:56.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.22.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-07T18:35:21",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Clickjacking in the web console",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Druid 0.23.0 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28889",
"STATE": "PUBLIC",
"TITLE": "Clickjacking in the web console"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "0.22.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Druid 0.23.0 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28889",
"datePublished": "2022-07-07T18:35:22",
"dateReserved": "2022-04-09T00:00:00",
"dateUpdated": "2024-08-03T06:10:56.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44791 (GCVE-0-2021-44791)
Vulnerability from nvd – Published: 2022-07-07 18:35 – Updated: 2024-08-04 04:32
VLAI?
Summary
In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
Apache Druid , ≤ 0.22.1
(custom)
|
Credits
This issue was discovered by DangKhai from Viettel Cyber Security
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.22.1",
"status": "affected",
"version": "Apache Druid",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by DangKhai from Viettel Cyber Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-07T18:35:16",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected XSS on certain HTTP endpoints",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Druid 0.23.0 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-44791",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS on certain HTTP endpoints"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Druid",
"version_value": "0.22.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by DangKhai from Viettel Cyber Security"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Druid 0.23.0 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-44791",
"datePublished": "2022-07-07T18:35:16",
"dateReserved": "2021-12-10T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36749 (GCVE-0-2021-36749)
Vulnerability from nvd – Published: 2021-09-24 09:30 – Updated: 2024-08-04 01:01
VLAI?
Summary
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
Severity ?
No CVSS data available.
CWE
- Data accessible to unathorized parties
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0.21.1 and earlier , ≤ 0.21.1
(custom)
|
Credits
This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud.
ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.21.1",
"status": "affected",
"version": "0.21.1 and earlier",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud."
},
{
"lang": "en",
"value": "ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920."
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Data accessible to unathorized parties",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-24T12:06:12",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"workarounds": [
{
"lang": "en",
"value": "Users can avoid the issue by upgrading to 0.22.0 or a higher version.\n\nIn an earlier version than 0.22.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-36749",
"STATE": "PUBLIC",
"TITLE": "Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0.21.1 and earlier",
"version_value": "0.21.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud."
},
{
"lang": "eng",
"value": "ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Data accessible to unathorized parties"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be@%3Cannounce.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users can avoid the issue by upgrading to 0.22.0 or a higher version.\n\nIn an earlier version than 0.22.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-36749",
"datePublished": "2021-09-24T09:30:11",
"dateReserved": "2021-07-15T00:00:00",
"dateUpdated": "2024-08-04T01:01:59.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26920 (GCVE-0-2021-26920)
Vulnerability from nvd – Published: 2021-07-02 07:20 – Updated: 2024-08-03 20:33
VLAI?
Summary
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.
Severity ?
No CVSS data available.
CWE
- Data accessible to unathorized parties
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
Apache Druid , ≤ 0.20.2
(custom)
|
Credits
This issue was discovered by chybeta from the Security Team of Alibaba Cloud.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210702 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/02/1"
},
{
"name": "[announce] 20210701 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r61aab724cf97d80da7f02d50e9af6de5c7c40dd92dab7518746fbaa2%40%3Cannounce.apache.org%3E"
},
{
"name": "[druid-dev] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/24/1"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.20.2",
"status": "affected",
"version": "Apache Druid",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by chybeta from the Security Team of Alibaba Cloud."
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Data accessible to unathorized parties",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-24T12:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210702 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/02/1"
},
{
"name": "[announce] 20210701 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r61aab724cf97d80da7f02d50e9af6de5c7c40dd92dab7518746fbaa2%40%3Cannounce.apache.org%3E"
},
{
"name": "[druid-dev] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/24/1"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"workarounds": [
{
"lang": "en",
"value": "Users can avoid the issue by upgrading to 0.21.0 or a higher version.\n\nIn an earlier version than 0.21.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-26920",
"STATE": "PUBLIC",
"TITLE": "Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Druid",
"version_value": "0.20.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by chybeta from the Security Team of Alibaba Cloud."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Data accessible to unathorized parties"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210702 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/02/1"
},
{
"name": "[announce] 20210701 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r61aab724cf97d80da7f02d50e9af6de5c7c40dd92dab7518746fbaa2@%3Cannounce.apache.org%3E"
},
{
"name": "[druid-dev] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d@%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/09/24/1"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be@%3Cannounce.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users can avoid the issue by upgrading to 0.21.0 or a higher version.\n\nIn an earlier version than 0.21.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-26920",
"datePublished": "2021-07-02T07:20:13",
"dateReserved": "2021-02-09T00:00:00",
"dateUpdated": "2024-08-03T20:33:41.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26919 (GCVE-0-2021-26919)
Vulnerability from nvd – Published: 2021-03-30 07:50 – Updated: 2025-02-13 16:27
VLAI?
Summary
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
Apache Druid , ≤ 0.20.1
(custom)
|
Credits
This issue was discovered by fantasyC4t from the Ant FG Security Lab.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f%40%3Cdev.druid.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.20.1",
"status": "affected",
"version": "Apache Druid",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by fantasyC4t from the Ant FG Security Lab."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T20:35:16.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f%40%3Cdev.druid.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Druid Authenticated users can execute arbitrary code from malicious MySQL database systems.",
"workarounds": [
{
"lang": "en",
"value": "Users should upgrade to Druid 0.20.2 and enable new Druid configurations to mitigate vulnerable MySQL JDBC properties.\nWhenever possible, network access to cluster machines should be restricted to trusted hosts only.\nEnsure that users have the minimum set of Druid permissions necessary, and are not granted access to functionality that they do not require."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-26919",
"STATE": "PUBLIC",
"TITLE": "Apache Druid Authenticated users can execute arbitrary code from malicious MySQL database systems."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Druid",
"version_value": "0.20.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by fantasyC4t from the Ant FG Security Lab."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f@%3Cdev.druid.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users should upgrade to Druid 0.20.2 and enable new Druid configurations to mitigate vulnerable MySQL JDBC properties.\nWhenever possible, network access to cluster machines should be restricted to trusted hosts only.\nEnsure that users have the minimum set of Druid permissions necessary, and are not granted access to functionality that they do not require."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-26919",
"datePublished": "2021-03-30T07:50:10.000Z",
"dateReserved": "2021-02-09T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:55.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25646 (GCVE-0-2021-25646)
Vulnerability from nvd – Published: 2021-01-29 19:15 – Updated: 2025-02-13 16:27
VLAI?
Summary
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0.20.0 and earlier , ≤ 0.20.0
(custom)
|
Credits
This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:11:28.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
},
{
"name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.20.0",
"status": "affected",
"version": "0.20.0 and earlier",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Litch1 from the Security Team of Alibaba Cloud."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T20:13:06.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
},
{
"name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"workarounds": [
{
"lang": "en",
"value": "Users should upgrade to Druid 0.20.1. Whenever possible, network access to cluster machines should be restricted to trusted hosts only."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-25646",
"STATE": "PUBLIC",
"TITLE": "Authenticated users can override system configurations in their requests which allows them to execute arbitrary code."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0.20.0 and earlier",
"version_value": "0.20.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Litch1 from the Security Team of Alibaba Cloud."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
},
{
"name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92@%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E"
},
{
"name": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users should upgrade to Druid 0.20.1. Whenever possible, network access to cluster machines should be restricted to trusted hosts only."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-25646",
"datePublished": "2021-01-29T19:15:12.000Z",
"dateReserved": "2021-01-21T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:49.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-59390 (GCVE-0-2025-59390)
Vulnerability from cvelistv5 – Published: 2025-11-26 08:50 – Updated: 2025-11-26 14:59
VLAI?
Summary
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`,
which is not a crypto-graphically secure random number generator. This
may allow an attacker to predict or brute force the secret used to sign
authentication cookies, potentially enabling token forgery or
authentication bypass. Additionally, each process generates its own
fallback secret, resulting in inconsistent secrets across nodes. This
causes authentication failures in distributed or multi-broker
deployments, effectively leading to a incorrectly configured clusters. Users are
advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret`
This issue affects Apache Druid: through 34.0.0.
Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.
Severity ?
No CVSS data available.
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0 , ≤ 34.0.0
(semver)
|
Credits
Luke Smith (smithluke1966@gmail.com)
1nfocalypse
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-26T09:06:57.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/11/26/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59390",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T14:57:50.711443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T14:59:04.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "34.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luke Smith (smithluke1966@gmail.com)"
},
{
"lang": "en",
"type": "analyst",
"value": "1nfocalypse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eApache Druid\u2019s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret\u003ccode\u003e\u003c/code\u003e` configuration is not explicitly set. In this case, the secret is generated using \u003ccode\u003e`ThreadLocalRandom`\u003c/code\u003e,\n which is not a crypto-graphically secure random number generator. This \nmay allow an attacker to predict or brute force the secret used to sign \nauthentication cookies, potentially enabling token forgery or \nauthentication bypass. Additionally, each process generates its own \nfallback secret, resulting in inconsistent secrets across nodes. This \ncauses authentication failures in distributed or multi-broker \ndeployments, effectively leading to a incorrectly configured clusters. Users are \nadvised to configure a strong\u0026nbsp;\u003ccode\u003e`druid.auth.authenticator.kerberos.cookieSignatureSecret`\u003c/code\u003e\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Druid: through 34.0.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the\u0026nbsp;Kerberos authenticator. Services will fail to come up if the secret is not set.\u0026nbsp;\u003c/p\u003e"
}
],
"value": "Apache Druid\u2019s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`,\n which is not a crypto-graphically secure random number generator. This \nmay allow an attacker to predict or brute force the secret used to sign \nauthentication cookies, potentially enabling token forgery or \nauthentication bypass. Additionally, each process generates its own \nfallback secret, resulting in inconsistent secrets across nodes. This \ncauses authentication failures in distributed or multi-broker \ndeployments, effectively leading to a incorrectly configured clusters. Users are \nadvised to configure a strong\u00a0`druid.auth.authenticator.kerberos.cookieSignatureSecret`\n\n\n\nThis issue affects Apache Druid: through 34.0.0.\n\nUsers are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the\u00a0Kerberos authenticator. Services will fail to come up if the secret is not set."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T08:50:07.322Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/jwjltllnntgj1sb9wzsjmvwm9f8rlhg8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured explicitly.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-59390",
"datePublished": "2025-11-26T08:50:07.322Z",
"dateReserved": "2025-09-15T10:03:37.911Z",
"dateUpdated": "2025-11-26T14:59:04.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27888 (GCVE-0-2025-27888)
Vulnerability from cvelistv5 – Published: 2025-03-20 11:29 – Updated: 2025-03-25 15:18
VLAI?
Summary
Severity: medium (5.8) / important
Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid.
This issue affects all previous Druid versions.
When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid's out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.
Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0 , < 31.0.2
(semver)
Affected: 32.0.0 (semver) |
Credits
XBOW
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-03-20T12:05:06.424Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/03/19/7"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-20T13:05:59.398503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T13:06:26.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.druid:druid",
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "31.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "affected",
"version": "32.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "XBOW"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSeverity: medium (5.8) / important\u003c/p\u003e\u003cp\u003eServer-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027),\u0026nbsp;URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Apache Druid.\u003c/p\u003e\u003cp\u003eThis issue affects all previous Druid versions.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgba(232, 232, 232, 0.04);\"\u003eWhen using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid\u0027s out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.\u003cbr\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Severity: medium (5.8) / important\n\nServer-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027),\u00a0URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Apache Druid.\n\nThis issue affects all previous Druid versions.\n\n\nWhen using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid\u0027s out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.\n\n\nUsers are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T15:18:04.929Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/c0qo989pwtrqkjv6xfr0c30dnjq8vf39"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Druid: Server-Side Request Forgery and Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-27888",
"datePublished": "2025-03-20T11:29:00.730Z",
"dateReserved": "2025-03-10T08:39:31.249Z",
"dateUpdated": "2025-03-25T15:18:04.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45537 (GCVE-0-2024-45537)
Vulnerability from cvelistv5 – Published: 2024-09-17 18:37 – Updated: 2025-03-14 15:09
VLAI?
Summary
Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list.
Users without the permission to configure JDBC connections are not able to exploit this vulnerability.
CVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2.
This issue is fixed in Apache Druid 30.0.1.
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0 , ≤ 30.0.0
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T15:05:57.004598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T15:09:00.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.druid.extensions:druid-lookups-cached-global",
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "30.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eApache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003eUsers without the permission to configure JDBC connections are not able to exploit this vulnerability.\u003cbr\u003eCVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2.\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThis issue is fixed in Apache Druid 30.0.1.\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list.\n\nUsers without the permission to configure JDBC connections are not able to exploit this vulnerability.\nCVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2.\n\nThis issue is fixed in Apache Druid 30.0.1."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T13:52:22.672Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/2ovx1t77y6tlkhk5b42clp4vwo4c8cjv"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Druid: Users can provide MySQL JDBC properties not on allow list",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45537",
"datePublished": "2024-09-17T18:37:49.823Z",
"dateReserved": "2024-09-02T07:13:35.647Z",
"dateUpdated": "2025-03-14T15:09:00.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45384 (GCVE-0-2024-45384)
Vulnerability from cvelistv5 – Published: 2024-09-17 18:36 – Updated: 2025-03-14 19:45
VLAI?
Summary
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j.
This could allow an attacker to manipulate a pac4j session cookie.
This issue affects Apache Druid versions 0.18.0 through 30.0.0.
Since the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.
While we are not aware of a way to meaningfully exploit this flaw, we
nevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue
and ensuring you have a strong
druid.auth.pac4j.cookiePassphrase as a precaution.
Severity ?
No CVSS data available.
CWE
- Padding Oracle
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0.18.0 , ≤ 30.0.0
(semver)
|
Credits
mr-n30
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-17T21:02:30.856Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/09/17/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T15:06:56.610669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T19:45:27.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.druid.extensions:druid-pac4j",
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "30.0.0",
"status": "affected",
"version": "0.18.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mr-n30"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePadding Oracle vulnerability in Apache Druid extension, druid-pac4j.\u003cbr\u003eThis could allow an attacker to manipulate a pac4j session cookie.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Druid versions 0.18.0 through 30.0.0.\u003cbr\u003eSince the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cbr\u003eWhile we are not aware of a way to meaningfully exploit this flaw, we \nnevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue\u003cbr\u003eand ensuring you have a strong \ndruid.auth.pac4j.cookiePassphrase as a precaution.\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Padding Oracle vulnerability in Apache Druid extension, druid-pac4j.\nThis could allow an attacker to manipulate a pac4j session cookie.\n\nThis issue affects Apache Druid versions 0.18.0 through 30.0.0.\nSince the druid-pac4j extension is optional and disabled by default, Druid installations not using the druid-pac4j extension are not affected by this vulnerability.\n\nWhile we are not aware of a way to meaningfully exploit this flaw, we \nnevertheless recommend upgrading to version 30.0.1 or higher which fixes the issue\nand ensuring you have a strong \ndruid.auth.pac4j.cookiePassphrase as a precaution."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Padding Oracle",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T18:36:00.411Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gr94fnp574plb50lsp8jw4smvgv1lbz1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Druid: Padding oracle in druid-pac4j extension that allows an attacker to manipulate a pac4j session cookie via Padding Oracle Attack",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-45384",
"datePublished": "2024-09-17T18:36:00.411Z",
"dateReserved": "2024-08-28T03:14:12.183Z",
"dateUpdated": "2025-03-14T19:45:27.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28889 (GCVE-0-2022-28889)
Vulnerability from cvelistv5 – Published: 2022-07-07 18:35 – Updated: 2024-08-03 06:10
VLAI?
Summary
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header.
Severity ?
No CVSS data available.
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
unspecified , ≤ 0.22.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:56.784Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.22.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-07T18:35:21",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Clickjacking in the web console",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Druid 0.23.0 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28889",
"STATE": "PUBLIC",
"TITLE": "Clickjacking in the web console"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "0.22.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Druid 0.23.0 and later prevent clickjacking using the Content-Security-Policy header."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/t3nsq4crdr8wqgmj721d2wg6pf26s5cw"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Druid 0.23.0 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28889",
"datePublished": "2022-07-07T18:35:22",
"dateReserved": "2022-04-09T00:00:00",
"dateUpdated": "2024-08-03T06:10:56.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44791 (GCVE-0-2021-44791)
Vulnerability from cvelistv5 – Published: 2022-07-07 18:35 – Updated: 2024-08-04 04:32
VLAI?
Summary
In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
Apache Druid , ≤ 0.22.1
(custom)
|
Credits
This issue was discovered by DangKhai from Viettel Cyber Security
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.22.1",
"status": "affected",
"version": "Apache Druid",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by DangKhai from Viettel Cyber Security"
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-07T18:35:16",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reflected XSS on certain HTTP endpoints",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Druid 0.23.0 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-44791",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS on certain HTTP endpoints"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Druid",
"version_value": "0.22.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by DangKhai from Viettel Cyber Security"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/lh2kcl4j45q7xj4w6rqf6kwf0mvyp2o6"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Druid 0.23.0 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-44791",
"datePublished": "2022-07-07T18:35:16",
"dateReserved": "2021-12-10T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36749 (GCVE-0-2021-36749)
Vulnerability from cvelistv5 – Published: 2021-09-24 09:30 – Updated: 2024-08-04 01:01
VLAI?
Summary
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
Severity ?
No CVSS data available.
CWE
- Data accessible to unathorized parties
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0.21.1 and earlier , ≤ 0.21.1
(custom)
|
Credits
This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud.
ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.21.1",
"status": "affected",
"version": "0.21.1 and earlier",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud."
},
{
"lang": "en",
"value": "ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920."
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Data accessible to unathorized parties",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-24T12:06:12",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"workarounds": [
{
"lang": "en",
"value": "Users can avoid the issue by upgrading to 0.22.0 or a higher version.\n\nIn an earlier version than 0.22.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-36749",
"STATE": "PUBLIC",
"TITLE": "Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0.21.1 and earlier",
"version_value": "0.21.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud."
},
{
"lang": "eng",
"value": "ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Data accessible to unathorized parties"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be@%3Cannounce.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users can avoid the issue by upgrading to 0.22.0 or a higher version.\n\nIn an earlier version than 0.22.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-36749",
"datePublished": "2021-09-24T09:30:11",
"dateReserved": "2021-07-15T00:00:00",
"dateUpdated": "2024-08-04T01:01:59.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26920 (GCVE-0-2021-26920)
Vulnerability from cvelistv5 – Published: 2021-07-02 07:20 – Updated: 2024-08-03 20:33
VLAI?
Summary
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.
Severity ?
No CVSS data available.
CWE
- Data accessible to unathorized parties
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
Apache Druid , ≤ 0.20.2
(custom)
|
Credits
This issue was discovered by chybeta from the Security Team of Alibaba Cloud.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210702 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/02/1"
},
{
"name": "[announce] 20210701 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r61aab724cf97d80da7f02d50e9af6de5c7c40dd92dab7518746fbaa2%40%3Cannounce.apache.org%3E"
},
{
"name": "[druid-dev] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/24/1"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.20.2",
"status": "affected",
"version": "Apache Druid",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by chybeta from the Security Team of Alibaba Cloud."
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Data accessible to unathorized parties",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-24T12:06:15",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210702 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/02/1"
},
{
"name": "[announce] 20210701 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r61aab724cf97d80da7f02d50e9af6de5c7c40dd92dab7518746fbaa2%40%3Cannounce.apache.org%3E"
},
{
"name": "[druid-dev] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/09/24/1"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"workarounds": [
{
"lang": "en",
"value": "Users can avoid the issue by upgrading to 0.21.0 or a higher version.\n\nIn an earlier version than 0.21.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-26920",
"STATE": "PUBLIC",
"TITLE": "Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Druid",
"version_value": "0.20.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by chybeta from the Security Team of Alibaba Cloud."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Data accessible to unathorized parties"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210702 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/02/1"
},
{
"name": "[announce] 20210701 CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r61aab724cf97d80da7f02d50e9af6de5c7c40dd92dab7518746fbaa2@%3Cannounce.apache.org%3E"
},
{
"name": "[druid-dev] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d@%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/09/24/1"
},
{
"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be@%3Cannounce.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users can avoid the issue by upgrading to 0.21.0 or a higher version.\n\nIn an earlier version than 0.21.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-26920",
"datePublished": "2021-07-02T07:20:13",
"dateReserved": "2021-02-09T00:00:00",
"dateUpdated": "2024-08-03T20:33:41.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26919 (GCVE-0-2021-26919)
Vulnerability from cvelistv5 – Published: 2021-03-30 07:50 – Updated: 2025-02-13 16:27
VLAI?
Summary
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
Apache Druid , ≤ 0.20.1
(custom)
|
Credits
This issue was discovered by fantasyC4t from the Ant FG Security Lab.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f%40%3Cdev.druid.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.20.1",
"status": "affected",
"version": "Apache Druid",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by fantasyC4t from the Ant FG Security Lab."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T20:35:16.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f%40%3Cdev.druid.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Druid Authenticated users can execute arbitrary code from malicious MySQL database systems.",
"workarounds": [
{
"lang": "en",
"value": "Users should upgrade to Druid 0.20.2 and enable new Druid configurations to mitigate vulnerable MySQL JDBC properties.\nWhenever possible, network access to cluster machines should be restricted to trusted hosts only.\nEnsure that users have the minimum set of Druid permissions necessary, and are not granted access to functionality that they do not require."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-26919",
"STATE": "PUBLIC",
"TITLE": "Apache Druid Authenticated users can execute arbitrary code from malicious MySQL database systems."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Druid",
"version_value": "0.20.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by fantasyC4t from the Ant FG Security Lab."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f@%3Cdev.druid.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users should upgrade to Druid 0.20.2 and enable new Druid configurations to mitigate vulnerable MySQL JDBC properties.\nWhenever possible, network access to cluster machines should be restricted to trusted hosts only.\nEnsure that users have the minimum set of Druid permissions necessary, and are not granted access to functionality that they do not require."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-26919",
"datePublished": "2021-03-30T07:50:10.000Z",
"dateReserved": "2021-02-09T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:55.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25646 (GCVE-0-2021-25646)
Vulnerability from cvelistv5 – Published: 2021-01-29 19:15 – Updated: 2025-02-13 16:27
VLAI?
Summary
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Severity ?
No CVSS data available.
CWE
- Remote code execution
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Affected:
0.20.0 and earlier , ≤ 0.20.0
(custom)
|
Credits
This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:11:28.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
},
{
"name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.20.0",
"status": "affected",
"version": "0.20.0 and earlier",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Litch1 from the Security Team of Alibaba Cloud."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T20:13:06.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
},
{
"name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"workarounds": [
{
"lang": "en",
"value": "Users should upgrade to Druid 0.20.1. Whenever possible, network access to cluster machines should be restricted to trusted hosts only."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-25646",
"STATE": "PUBLIC",
"TITLE": "Authenticated users can override system configurations in their requests which allows them to execute arbitrary code."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0.20.0 and earlier",
"version_value": "0.20.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Litch1 from the Security Team of Alibaba Cloud."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
},
{
"name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92@%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E"
},
{
"name": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users should upgrade to Druid 0.20.1. Whenever possible, network access to cluster machines should be restricted to trusted hosts only."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-25646",
"datePublished": "2021-01-29T19:15:12.000Z",
"dateReserved": "2021-01-21T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:49.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}