Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended
CVE-2021-26920

6.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Druid
Vendor
CVE Published:
2 July 2021

Summary

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.

Affected Version(s)

Apache Druid Apache Druid <= 0.20.2

References

https://lists.apache.org/thread.html/r29e45561343cc5cf7d3...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2021/07/02/1
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r61aab724cf97d80da7f...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by chybeta from the Security Team of Alibaba Cloud.
.