oss-sec mailing list archives
CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.
From: Jihoon Son <jihoonson () apache org>
Date: Fri, 29 Jan 2021 09:57:45 -0800
Description: Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. Mitigation: Users should upgrade to Druid 0.20.1. Whenever possible, network access to cluster machines should be restricted to trusted hosts only. Credit: This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.
Current thread:
- CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code. Jihoon Son (Jan 29)