CVE-2021-25646 – org.apache.druid:druid

Package

Manager: maven
Name: org.apache.druid:druid
Vulnerable Version: >=0 <0.20.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.94055 pctl0.99894

Details

Code injection in Apache Druid Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

Metadata

Created: 2021-06-16T17:40:47Z
Modified: 2021-04-05T21:52:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-wrqf-rrrw-w3mg/GHSA-wrqf-rrrw-w3mg.json
CWE IDs: ["CWE-732"]
Alternative ID: GHSA-wrqf-rrrw-w3mg
Finding: F039
Auto approve: 1