cbcvebase.
CVE-2021-36749
published 2021-09-24

CVE-2021-36749: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to…

PriorityP276medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
81.04%
99.6th percentile
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachedruid< 0.22.00.22.0

Detection & IOCsextracted from sources · hover to see the quote

url/druid/indexer/v1/sampler?for=connect
pathfile:///etc/passwd
command{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":[" file:///etc/passwd "]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string", "parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"no_ such_ column","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}
yara
regex: root:.*:0:0:
  • Detect exploitation attempts by monitoring POST requests to the Druid sampler endpoint with a 'file://' URI scheme inside the HTTP InputSource 'uris' field, indicating an attempt to read local files via SSRF/LFI.
  • Monitor POST requests to /druid/indexer/v1/sampler with Content-Type: application/json containing 'firehose' type 'http' and 'uris' values starting with 'file://'.
  • A successful exploitation response body will contain Unix /etc/passwd-style content; match on regex pattern 'root:.*:0:0:' or 'druid:*:1000:1000:' in HTTP responses from the Druid sampler endpoint.
  • This vulnerability requires authenticated access; alert on authenticated Druid users submitting ingestion specs with HTTP InputSource pointing to file:// URIs, which bypasses application-level restrictions.
  • ·This vulnerability is an incomplete fix of CVE-2021-26920; versions 0.21.0 and 0.21.1 were believed to be patched but remain vulnerable.
  • ·OpenShift Container Platform (OCP) is not affected because the ose-metering-hive container ships Druid without HTTP and HDFS InputSources.
  • ·The vulnerability is only a security risk when users interact with Druid indirectly through an application that restricts Local InputSource but permits HTTP InputSource; direct Druid access is not an elevation of privilege since Local InputSource already provides equivalent access.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vulncheck6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.