CVE-2021-36749
published 2021-09-24CVE-2021-36749: In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to…
PriorityP276medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
81.04%
99.6th percentile
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | druid | < 0.22.0 | 0.22.0 |
Detection & IOCsextracted from sources · hover to see the quote
command{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"http","uris":[" file:///etc/passwd "]}},"dataSchema":{"dataSource":"sample","parser":{"type":"string", "parseSpec":{"format":"regex","pattern":"(.*)","columns":["a"],"dimensionsSpec":{},"timestampSpec":{"column":"no_ such_ column","missingValue":"2010-01-01T00:00:00Z"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}↗
yara↗
regex: root:.*:0:0:
- →Detect exploitation attempts by monitoring POST requests to the Druid sampler endpoint with a 'file://' URI scheme inside the HTTP InputSource 'uris' field, indicating an attempt to read local files via SSRF/LFI. ↗
- →Monitor POST requests to /druid/indexer/v1/sampler with Content-Type: application/json containing 'firehose' type 'http' and 'uris' values starting with 'file://'. ↗
- →A successful exploitation response body will contain Unix /etc/passwd-style content; match on regex pattern 'root:.*:0:0:' or 'druid:*:1000:1000:' in HTTP responses from the Druid sampler endpoint. ↗
- →This vulnerability requires authenticated access; alert on authenticated Druid users submitting ingestion specs with HTTP InputSource pointing to file:// URIs, which bypasses application-level restrictions. ↗
- ·This vulnerability is an incomplete fix of CVE-2021-26920; versions 0.21.0 and 0.21.1 were believed to be patched but remain vulnerable. ↗
- ·OpenShift Container Platform (OCP) is not affected because the ose-metering-hive container ships Druid without HTTP and HDFS InputSources. ↗
- ·The vulnerability is only a security risk when users interact with Druid indirectly through an application that restricts Local InputSource but permits HTTP InputSource; direct Druid access is not an elevation of privilege since Local InputSource already provides equivalent access. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vulncheck6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
druid: HTTP InputSource allows authenticated users to read data from other sources (incomplete fix of CVE-2021-26920)
vendor_redhat·2021-09-23·CVSS 6.5
CVE-2021-36749 [MEDIUM] CWE-200 druid: HTTP InputSource allows authenticated users to read data from other sources (incomplete fix of CVE-2021-26920)
druid: HTTP InputSource allows authenticated users to read data from other sources (incomplete fix of CVE-2021-26920)
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction b
GHSA
Druid ingestion system Authenticated users can read data from other sources than intended
ghsa·2021-09-27·CVSS 6.5
CVE-2021-36749 [MEDIUM] CWE-668 Druid ingestion system Authenticated users can read data from other sources than intended
Druid ingestion system Authenticated users can read data from other sources than intended
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the
OSV
Druid ingestion system Authenticated users can read data from other sources than intended
osv·2021-09-27·CVSS 6.5
CVE-2021-36749 [MEDIUM] Druid ingestion system Authenticated users can read data from other sources than intended
Druid ingestion system Authenticated users can read data from other sources than intended
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the
VulnCheck
Apache druid Incorrect Authorization
vulncheck·2021·CVSS 6.5
CVE-2021-36749 [MEDIUM] Apache druid Incorrect Authorization
Apache druid Incorrect Authorization
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned
No detection rules found.
Nuclei
Apache Druid - Local File Inclusion
nuclei·CVSS 6.5
CVE-2021-36749 [MEDIUM] Apache Druid - Local File Inclusion
Apache Druid - Local File Inclusion
Apache Druid ingestion system is vulnerable to local file inclusion. The InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31
Network Security Trends: November 2021 to January 2022
Threat Research Center
Threat Research
Vulnerabilities
## Network Security Trends: November 2021 to January 2022
Yue Guan
Published: May 31, 2022
Threat Research
Vulnerabilities
Apache Log4j
Attack analysis
Denial of service
Exploit in Wild
Network security trends
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used t
Unit42
Network Security Trends: November 2021 to January 2022
blogs_unit42·2022-05-31·CVSS 9.8
[CRITICAL] Network Security Trends: November 2021 to January 2022
## Executive Summary
Unit 42 researchers continually observe network attacks and search for insights that can assist defenders. Here, we summarize key trends from November 2021 to January 2022. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity distribution. We also classify vulnerabilities to provide a clear view of the prevalence of, for example, cross-site scripting or denial of service.
Cross-site scripting stood out as a commonly used technique. Among around 6,443 newly published vulnerabilities, we found that a large portion (almost 10.6%) still involve this technique. However, by evaluating around 167 million attack sessions and focusing on the latest exploits in the wild, we conclude that remote code execution
https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3Ehttps://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E
2021-09-24
Published
Exploited in the wild