[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-25646: Authenticated users can override system configurations in their reque
From:       Jihoon Son <jihoonson () apache ! org>
Date:       2021-01-29 17:57:45
Message-ID: CACZfFK5qhiaNND7Tsf4AKG=Jh9Nk4pHKSLKKCmZS7Au6pEgVqA () mail ! gmail ! com
[Download RAW message or body]

Description:

Apache Druid includes the ability to execute user-provided JavaScript
code embedded in various types of requests. This functionality is
intended for use in high-trust environments, and is disabled by
default. However, in Druid 0.20.0 and earlier, it is possible for an
authenticated user to send a specially-crafted request that forces
Druid to run user-provided JavaScript code for that request,
regardless of server configuration. This can be leveraged to execute
code on the target machine with the privileges of the Druid server
process.

Mitigation:

Users should upgrade to Druid 0.20.1. Whenever possible, network
access to cluster machines should be restricted to trusted hosts only.

Credit:

This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.
[prev in list] [next in list] [prev in thread] [next in thread]