<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Jihoon Son <jihoonson () apache org>
Date: Fri, 29 Jan 2021 09:57:45 -0800
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Description:
Apache Druid includes the ability to execute user-provided JavaScript
code embedded in various types of requests. This functionality is
intended for use in high-trust environments, and is disabled by
default. However, in Druid 0.20.0 and earlier, it is possible for an
authenticated user to send a specially-crafted request that forces
Druid to run user-provided JavaScript code for that request,
regardless of server configuration. This can be leveraged to execute
code on the target machine with the privileges of the Druid server
process.
Mitigation:
Users should upgrade to Druid 0.20.1. Whenever possible, network
access to cluster machines should be restricted to trusted hosts only.
Credit:
This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code. Jihoon Son (Jan 29)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->