icon

We found results for “

CVE-2021-26920

Good to know:

icon
icon

Date: July 2, 2021

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.

Language: Java

Severity Score

Related Resources (17)

Severity Score

Weakness Type (CWE)

Externally Controlled Reference to a Resource in Another Sphere

CWE-610

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Incorrect Authorization

CWE-863

Top Fix

icon

Upgrade Version

Upgrade to version org.apache.druid:druid-core:0.21.0;org.apache.druid:druid-server:0.21.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us