GHSA-9p5g-vg43-mj5r

Suggest an improvement
Source
https://github.com/advisories/GHSA-9p5g-vg43-mj5r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9p5g-vg43-mj5r/GHSA-9p5g-vg43-mj5r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9p5g-vg43-mj5r
Aliases
Published
2021-09-27T20:13:25Z
Modified
2024-02-16T08:04:11.953238Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Druid ingestion system Authenticated users can read data from other sources than intended
Details

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

References

Affected packages

Maven / org.apache.druid:druid-core

Package

Name
org.apache.druid:druid-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.druid/druid-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.22.0

Affected versions

0.*

0.14.0-incubating
0.14.1-incubating
0.14.2-incubating
0.15.0-incubating
0.15.1-incubating
0.16.0-incubating
0.16.1-incubating
0.17.0
0.17.1
0.18.0
0.18.1
0.19.0
0.20.0
0.20.1
0.20.2
0.21.0
0.21.1