What is the vulnerability ID of this Apache Druid vulnerability?

The vulnerability ID of this Apache Druid vulnerability is CVE-2021-26919.

What is the severity of CVE-2021-26919?

The severity of CVE-2021-26919 is high with a severity value of 8.8.

What does CVE-2021-26919 allow attackers to do?

CVE-2021-26919 allows attackers to read data from other database systems using JDBC.

Which versions of Apache Druid are affected by CVE-2021-26919?

Apache Druid versions up to exclusive version 0.20.2 are affected by CVE-2021-26919.

Is there any additional information available about CVE-2021-26919?

Additional information about CVE-2021-26919 can be found in the references: [Reference 1](https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E), [Reference 2](https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E), [Reference 3](https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E).

Vulnerability/
CVE-2021-26919

high

8.8

30/3/2021

3/6/2022

CVE-2021-26919

First published: Tue Mar 30 2021(Updated: )

Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2

Credit: security@apache.org

Affected Software	Affected Version	How to fix
Apache Druid	<0.20.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID of this Apache Druid vulnerability?
The vulnerability ID of this Apache Druid vulnerability is CVE-2021-26919.
What is the severity of CVE-2021-26919?
The severity of CVE-2021-26919 is high with a severity value of 8.8.
What does CVE-2021-26919 allow attackers to do?
CVE-2021-26919 allows attackers to read data from other database systems using JDBC.
Which versions of Apache Druid are affected by CVE-2021-26919?
Apache Druid versions up to exclusive version 0.20.2 are affected by CVE-2021-26919.
Is there any additional information available about CVE-2021-26919?
Additional information about CVE-2021-26919 can be found in the references: [Reference 1](https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E), [Reference 2](https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E), [Reference 3](https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E).