CVE-2021-26920

Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource.

En el sistema de ingestión de Druid, el InputSource es usado para leer datos de una determinada fuente de datos. Sin embargo, el HTTP InputSource permite a usuarios autenticados leer datos de otras fuentes distintas a las previstas, como el sistema de archivos local, con los privilegios del proceso del servidor Druid. Esto no es una elevación de privilegios cuando unos usuarios acceden a Druid directamente, ya que Druid también proporciona el InputSource Local, que permite el mismo nivel de acceso. Pero es problemático cuando unos usuarios interactúan con Druid indirectamente mediante una aplicación que permite a usuarios especificar el HTTP InputSource, pero no el Local InputSource. En este caso, unos usuarios podrían omitir la restricción a nivel de aplicación pasando una URL de archivo al HTTP InputSource

*Credits: This issue was discovered by chybeta from the Security Team of Alibaba Cloud.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-02-09 CVE Reserved
2021-07-02 CVE Published
2023-11-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-610: Externally Controlled Reference to a Resource in Another Sphere

CAPEC

References (6)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/07/02/1	Mailing List
http://www.openwall.com/lists/oss-security/2021/09/24/1	Mailing List
https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r61aab724cf97d80da7f02d50e9af6de5c7c40dd92dab7518746fbaa2%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Druid Search vendor "Apache" for product "Druid"				< 0.22.0 Search vendor "Apache" for product "Druid" and version " < 0.22.0"		-		Affected