CVE-2021-25646
Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
6Exploited in Wild
-Decision
Descriptions
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Apache Druid incluye la capacidad de ejecutar código JavaScript proporcionado por el usuario insertado en varios tipos de peticiones. Esta funcionalidad está pensada para su uso en entornos de alta confianza y está deshabilitada por defecto. Sin embargo, en Druid versiones 0.20.0 y anteriores, es posible para un usuario autenticado enviar una petición especialmente diseñada para obligar a Druid a ejecutar código JavaScript proporcionado por el usuario para esa petición, independientemente de la configuración del servidor. Esto puede ser aprovechado para ejecutar código en la máquina objetivo con los privilegios del proceso del servidor Druid
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests; however, that feature is disabled by default. In Druid versions prior to 0.20.1, an authenticated user can send a specially-crafted request that both enables the JavaScript code-execution feature and executes the supplied code all at once, allowing for code execution on the server with the privileges of the Druid Server process. More critically, authentication is not enabled in Apache Druid by default.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-21 CVE Reserved
- 2021-01-29 CVE Published
- 2021-02-03 First Exploit
- 2024-08-03 CVE Updated
- 2024-10-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
CAPEC
References (22)
URL | Date | SRC |
---|---|---|
https://github.com/Vulnmachines/Apache-Druid-CVE-2021-25646 | 2021-06-10 | |
https://github.com/j2ekim/CVE-2021-25646 | 2021-12-12 | |
https://github.com/givemefivw/CVE-2021-25646 | 2021-04-15 | |
https://github.com/lp008/CVE-2021-25646 | 2021-02-03 | |
https://github.com/Ormicron/CVE-2021-25646-GUI | 2021-02-05 | |
http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html | 2024-08-03 |
URL | Date | SRC |
---|