CVE-2021-26920

CWE-610CWE-863Incorrect AuthorizationCWE-200Information Exposure7 documents6 sources
Severity
6.5MEDIUM
EPSS
3.2%
top 13.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache DruidApache Software Foundation Apache Druid
Timeline
PublishedJul 2
Latest updateSep 23

Description

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid ind

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDapache/druid< 0.22.0
CVEListV5apache_software_foundation/apache_druidApache Druid0.20.2+1

🔴Vulnerability Details

4
GHSA
Druid ingestion system Authenticated users can read data from other sources than intended2021-08-13
OSV
Druid ingestion system Authenticated users can read data from other sources than intended2021-08-13
CVEList
Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended2021-07-02
VulnCheck
Apache druid Externally Controlled Reference to a Resource in Another Sphere2021

📋Vendor Advisories

2
Red Hat
druid: HTTP InputSource allows authenticated users to read data from other sources (incomplete fix of CVE-2021-26920)2021-09-23
Red Hat
druid: HTTP InputSource allows authenticated users to read data from other sources2021-07-02
CVE-2021-26920 (MEDIUM CVSS 6.5) | In the Druid ingestion system | cvebase.io