CVE-2021-25646 (GCVE-0-2021-25646)
Vulnerability from cvelistv5
Published
2021-01-29 19:15
Modified
2025-02-13 16:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Remote code execution
Summary
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Druid |
Version: 0.20.0 and earlier < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:11:28.147Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
},
{
"name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Druid",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.20.0",
"status": "affected",
"version": "0.20.0 and earlier",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Litch1 from the Security Team of Alibaba Cloud."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T20:13:06.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
},
{
"name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f%40%3Cannounce.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"workarounds": [
{
"lang": "en",
"value": "Users should upgrade to Druid 0.20.1. Whenever possible, network access to cluster machines should be restricted to trusted hosts only."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-25646",
"STATE": "PUBLIC",
"TITLE": "Authenticated users can override system configurations in their requests which allows them to execute arbitrary code."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Druid",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0.20.0 and earlier",
"version_value": "0.20.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Litch1 from the Security Team of Alibaba Cloud."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"
},
{
"name": "[oss-security] 20210129 CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/01/29/6"
},
{
"name": "[druid-dev] 20210129 Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210129 Re: CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92@%3Cdev.druid.apache.org%3E"
},
{
"name": "[announce] 20210129 Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4f84b542417ea46202867c0a8b3eaf3b4cfed30e09174a52122ba210@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rea9436a4063927a567d698431ddae55e760c3f876c22ac5b9813685f@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r121abe8014d381943b63c60615149d40bde9dc1c868bcee90d0d0848@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [druid] branch 0.21.0 updated: Fix CVE-2021-25646 (#10818) (#10854)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfeb775822cd3baef1595b60f6860f5ca849eb1903236483f3297bd5c@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210204 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04fa1ba93599487c95a8497044d37f8c02a439bfcf92b4567bfb7c8f@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson opened a new pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r87aa94e28dd21ee2252d30c63f01ab9cb5474ee5bdd98dd8d7d734aa@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7dff4790e7a5c697fc0360adf11f5aeb31cd6ad80644fffee690673c@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson commented on pull request #10818: Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra4225912f501016bc5e0ac44e14b8d6779173a3a1dc7baacaabcc9ba@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210205 [GitHub] [druid] jihoonson merged pull request #10854: [Backport] Fix CVE-2021-25646",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5ef625076982aee7d23c23f07717e626b73f421fba5154d1e4de15e1@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E"
},
{
"name": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users should upgrade to Druid 0.20.1. Whenever possible, network access to cluster machines should be restricted to trusted hosts only."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-25646",
"datePublished": "2021-01-29T19:15:12.000Z",
"dateReserved": "2021-01-21T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:49.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…