CVE-2021-36749

Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

En el sistema de ingestión de Druid, el InputSource es usado para leer datos de una determinada fuente de datos. Sin embargo, el HTTP InputSource permite a usuarios autenticados leer datos de otras fuentes distintas a las previstas, como el sistema de archivos local, con los privilegios del proceso del servidor Druid. Esto no es una elevación de privilegios cuando los usuarios acceden a Druid directamente, ya que Druid también proporciona el InputSource local, que permite el mismo nivel de acceso. Pero es problemático cuando los usuarios interactúan con Druid indirectamente mediante una aplicación que permite a usuarios especificar el HTTP InputSource, pero no el Local InputSource. En este caso, los usuarios podrían omitir la restricción a nivel de aplicación pasando una URL de archivo a la HTTP InputSource. Este problema ha sido mencionado anteriormente como corregido en la versión 0.21.0, según CVE-2021-26920, pero no fue corregido en las versiones 0.21.0 o 0.21.1.

*Credits: This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud., ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920.

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-07-15 CVE Reserved
2021-09-24 CVE Published
2021-10-15 First Exploit
2024-08-04 CVE Updated
2024-08-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-863: Incorrect Authorization

CAPEC

References (5)

URL	Tag	Source
https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E	Mailing List

URL	Date	SRC
https://github.com/BrucessKING/CVE-2021-36749	2021-10-15
https://github.com/dorkerdevil/CVE-2021-36749	2022-01-09
https://github.com/Jun-5heng/CVE-2021-36749	2021-12-12

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Druid Search vendor "Apache" for product "Druid"				< 0.22.0 Search vendor "Apache" for product "Druid" and version " < 0.22.0"		-		Affected