CVE-2021-25646 is a vulnerability in Apache Druid
Published on January 29, 2021
Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Products Associated with CVE-2021-25646
Want to know whenever a new CVE is published for Apache Druid? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Druid:- Version 0.20.0 and earlier, <= 0.20.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.