Skip to main content

Druid CVE-2024-45537

MEDIUM
Improper Input Validation (CWE-20)
2024-09-17 security@apache.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 17, 2024 - 19:15 nvd
MEDIUM 6.5

DescriptionNVD

Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list.

Users without the permission to configure JDBC connections are not able to exploit this vulnerability. CVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2.

This issue is fixed in Apache Druid 30.0.1.

AnalysisAI

Apache Druid allows users with certain permissions to read data from other database systems using JDBC. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-20. Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list. Users without the permission to configure JDBC connections are not able to exploit this vulnerability. CVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2. This issue is fixed in Apache Druid 30.0.1. Affected products include: Apache Druid.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Druid

View all
CVE-2021-25646 HIGH POC
8.8 Jan 29

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. Rated

CVE-2021-36749 MEDIUM POC
6.5 Sep 24

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. Rated medium severit

CVE-2025-27888 MEDIUM POC
5.8 Mar 20

Severity: medium (5.8) / important Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2025-59390 CRITICAL
9.8 Nov 26

Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSign

CVE-2021-26919 HIGH
8.8 Mar 30

Apache Druid allows users to read data from other database systems using JDBC. Rated high severity (CVSS 8.8), this vuln

CVE-2021-33800 HIGH
7.5 Nov 03

In Druid 1.2.3, visiting the path with parameter in a certain function can lead to directory traversal. Rated high sever

CVE-2021-26920 MEDIUM
6.5 Jul 02

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. Rated medium severit

CVE-2020-1958 MEDIUM
6.5 Apr 01

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials c

CVE-2024-45384 MEDIUM
5.3 Sep 17

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. Rated medium severity (CVSS 5.3), this vulnerabilit

CVE-2022-28889 MEDIUM
4.3 Jul 07

In Apache Druid 0.22.1 and earlier, the server did not set appropriate headers to prevent clickjacking. Rated medium sev

Share

CVE-2024-45537 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy