CVE-2021-26920: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended
First published: Fri Jul 02 2021(Updated: )
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Druid | <0.22.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-26920
- https://lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/07/02/1
- https://lists.apache.org/thread.html/r61aab724cf97d80da7f02d50e9af6de5c7c40dd92dab7518746fbaa2@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d@%3Cdev.druid.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/09/24/1
- https://github.com/advisories/GHSA-793h-6f7r-6qvm (Advisory)
- https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r61aab724cf97d80da7f02d50e9af6de5c7c40dd92dab7518746fbaa2%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E
Frequently Asked Questions
What is CVE-2021-26920?
CVE-2021-26920 is a vulnerability in the Druid ingestion system that allows authenticated users to read data from unintended sources, such as the local file system.
What is the severity of CVE-2021-26920?
CVE-2021-26920 has a severity rating of 6.5 (medium).
How does CVE-2021-26920 impact users?
CVE-2021-26920 allows authenticated users to access data from unintended sources, potentially leading to unauthorized access and data leakage.
What software is affected by CVE-2021-26920?
The Apache Druid Core version 0.21.0 and earlier are affected by CVE-2021-26920.
How can I fix CVE-2021-26920?
To fix CVE-2021-26920, upgrade to Apache Druid Core version 0.21.0 or later.
- collector/github-advisory-latest
- alias/GHSA-793h-6f7r-6qvm
- alias/CVE-2021-26920
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- collector/github-advisory
- source/GitHub
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/references
- agent/description
- collector/nvd-cve
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- agent/event
- package-manager/maven
- vendor/apache
- canonical/apache druid