⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2021-25646

CWE-732Incorrect Permission AssignmentCWE-94Code Injection11 documents9 sources
Severity
8.8HIGH
EPSS
94.0%
top 0.11%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Apache Software Foundation Apache DruidApache Druid
Timeline
PublishedJan 29
Latest updateJun 16

Description

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with th

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.druid:druid< 0.20.1
NVDapache/druid0.20.0
CVEListV5apache_software_foundation/apache_druid0.20.0 and earlier0.20.0

🔴Vulnerability Details

4
GHSA
Code injection in Apache Druid2021-06-16
OSV
Code injection in Apache Druid2021-06-16
CVEList
Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.2021-01-29
VulnCheck
Apache Druid 0.20.0 Remote Command Execution2021

💥Exploits & PoCs

1
Nuclei
Apache Druid - Remote Code Execution

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Possible Apache Druid RCE Inbound (CVE-2021-25646)2021-03-29

📋Vendor Advisories

1
Red Hat
druid: Authenticated javascript code injection2021-01-29

🕵️Threat Intelligence

3
Trendmicro
CVE-2021-25646: Getting Code Execution on Apache Druid2021-03-29
Trendmicro
CVE-2021-25646: Getting Code Execution on Apache Druid2021-03-29
Trendmicro
CVE-2021-25646: Getting Code Execution on Apache Druid2021-03-29
CVE-2021-25646 (HIGH CVSS 8.8) | Apache Druid includes the ability t | cvebase.io