Vulnerability-Lookup

GHSA-WRQF-RRRW-W3MG

Vulnerability from github – Published: 2021-06-16 17:40 – Updated: 2021-04-05 21:52

Summary

Code injection in Apache Druid

Details

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.druid:druid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.20.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-05T21:52:53Z",
    "nvd_published_at": "2021-01-29T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.",
  "id": "GHSA-wrqf-rrrw-w3mg",
  "modified": "2021-04-05T21:52:53Z",
  "published": "2021-06-16T17:40:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25646"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92@%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Code injection in Apache Druid"
}

CVE-2021-25646 (GCVE-0-2021-25646)

Vulnerability from cvelistv5 – Published: 2021-01-29 19:15 – Updated: 2025-02-13 16:27

Title

Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.

Summary

Severity

No CVSS data available.

CWE

Remote code execution

Assigner

apache

References

16 references

URL	Tags
https://lists.apache.org/thread.html/rfda8a3aa6ac…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2021/01/29/6	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r64431c2b972…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rc167d5e57f3…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r20e0c3b10ae…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r4f84b542417…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rea9436a4063…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r121abe8014d…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rfeb775822cd…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r04fa1ba9359…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r87aa94e28dd…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r7dff4790e7a…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/ra4225912f50…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r5ef62507698…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r443e2916c61…	mailing-listx_refsource_MLIST
http://packetstormsecurity.com/files/162345/Apach…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Druid	Affected: 0.20.0 and earlier , ≤ 0.20.0 (custom)

Credits

This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:11:28.147Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
          },
          {
            "name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
          },
          {
            "name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E"
          },
          {
            "name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E"
          },
          {
            "name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E"
          },
          {
            "name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Druid",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "0.20.0",
              "status": "affected",
              "version": "0.20.0 and earlier",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by Litch1 from the Security Team of Alibaba Cloud."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Remote code execution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-03T20:13:06.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
        },
        {
          "name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
        },
        {
          "name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E"
        },
        {
          "name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E"
        },
        {
          "name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E"
        },
        {
          "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E"
        },
        {
          "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E"
        },
        {
          "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E"
        },
        {
          "name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E"
        },
        {
          "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E"
        },
        {
          "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E"
        },
        {
          "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E"
        },
        {
          "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E"
        },
        {
          "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E"
        },
        {
          "name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
      "workarounds": [
        {
          "lang": "en",
          "value": "Users should upgrade to Druid 0.20.1. Whenever possible, network access to cluster machines should be restricted to trusted hosts only."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-25646",
          "STATE": "PUBLIC",
          "TITLE": "Authenticated users can override system configurations in their requests which allows them to execute arbitrary code."
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Druid",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "0.20.0 and earlier",
                            "version_value": "0.20.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This issue was discovered by Litch1 from the Security Team of Alibaba Cloud."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Remote code execution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
            },
            {
              "name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
            },
            {
              "name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3E"
            },
            {
              "name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92@%3Cdev.druid.apache.org%3E"
            },
            {
              "name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1@%3Ccommits.druid.apache.org%3E"
            },
            {
              "name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E"
            },
            {
              "name": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Users should upgrade to Druid 0.20.1. Whenever possible, network access to cluster machines should be restricted to trusted hosts only."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-25646",
    "datePublished": "2021-01-29T19:15:12.000Z",
    "dateReserved": "2021-01-21T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:27:49.264Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-WRQF-RRRW-W3MG

CVE-2021-25646 (GCVE-0-2021-25646)

Tags

Sightings

Nomenclature