Description

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

Remediation

References

http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html

http://www.openwall.com/lists/oss-security/2021/01/29/6

https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E

https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E

https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E

https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E

https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E

Related Vulnerabilities

CVE-2020-28433 Vulnerability in npm package node-latex-pdf

CVE-2020-35211 Vulnerability in maven package io.atomix:atomix

CVE-2020-26217 Vulnerability in maven package xstream:xstream

CVE-2020-2230 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-40152 Vulnerability in maven package com.fasterxml.woodstox:woodstox-core

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Third Party Advisory VDB Entry Mailing List Vendor Advisory NVD-CWE-noinfo