Druid
CVE-2021-26920
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 63 maven packages depend on org.apache.druid:druid-core (62 direct, 1 indirect)
- 2,014 npm packages depend on fast-xml-parser (696 direct, 1,319 indirect)
Ecosystem-wide dependent count for version 0.21.0 and other introduced versions.
DescriptionNVD
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.
AnalysisAI
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-610. In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. Affected products include: Apache Druid.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. Rated
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. Rated medium severit
Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSign
Apache Druid allows users to read data from other database systems using JDBC. Rated high severity (CVSS 8.8), this vuln
In Druid 1.2.3, visiting the path with parameter in a certain function can lead to directory traversal. Rated high sever
Apache Druid allows users with certain permissions to read data from other database systems using JDBC. Rated medium sev
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials c
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. Rated medium severity (CVSS 5.3), this vulnerabilit
In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Rated medium sev
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today