{"containers": {"cna": {"affected": [{"product": "Apache Druid", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "0.21.1", "status": "affected", "version": "0.21.1 and earlier", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud."}, {"lang": "en", "value": "ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920."}], "descriptions": [{"lang": "en", "value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1."}], "metrics": [{"other": {"content": {"other": "low"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"description": "Data accessible to unathorized parties", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-24T12:06:12.000Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"}, {"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)", "workarounds": [{"lang": "en", "value": "Users can avoid the issue by upgrading to 0.22.0 or a higher version.\n\nIn an earlier version than 0.22.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-36749", "STATE": "PUBLIC", "TITLE": "Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Druid", "version": {"version_data": [{"version_affected": "<=", "version_name": "0.21.1 and earlier", "version_value": "0.21.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "This issue was originally discovered by chybeta from the Security Team of Alibaba Cloud."}, {"lang": "eng", "value": "ABKing and g0udan from the Security Team of Xiaomi discovered that it was still an issue after CVE-2021-26920."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "low"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Data accessible to unathorized parties"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"}, {"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be@%3Cannounce.apache.org%3E"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Users can avoid the issue by upgrading to 0.22.0 or a higher version.\n\nIn an earlier version than 0.22.0, when the user application wants to restrict the access to the local file system, it should disallow all InputSources that can read local files, that is the Local, HTTP, and HDFS InputSources."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:01:59.216Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"}, {"name": "[announce] 20210923 CVE-2021-36749: Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-36749", "datePublished": "2021-09-24T09:30:11.000Z", "dateReserved": "2021-07-15T00:00:00.000Z", "dateUpdated": "2024-08-04T01:01:59.216Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:druid:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A299C23-7F4F-4654-AD2D-BCD7867D27DB", "versionEndExcluding": "0.22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1."}, {"lang": "es", "value": "En el sistema de ingesti\u00f3n de Druid, el InputSource es usado para leer datos de una determinada fuente de datos. Sin embargo, el HTTP InputSource permite a usuarios autenticados leer datos de otras fuentes distintas a las previstas, como el sistema de archivos local, con los privilegios del proceso del servidor Druid. Esto no es una elevaci\u00f3n de privilegios cuando los usuarios acceden a Druid directamente, ya que Druid tambi\u00e9n proporciona el InputSource local, que permite el mismo nivel de acceso. Pero es problem\u00e1tico cuando los usuarios interact\u00faan con Druid indirectamente mediante una aplicaci\u00f3n que permite a usuarios especificar el HTTP InputSource, pero no el Local InputSource. En este caso, los usuarios podr\u00edan omitir la restricci\u00f3n a nivel de aplicaci\u00f3n pasando una URL de archivo a la HTTP InputSource. Este problema ha sido mencionado anteriormente como corregido en la versi\u00f3n 0.21.0, seg\u00fan CVE-2021-26920, pero no fue corregido en las versiones 0.21.0 o 0.21.1."}], "id": "CVE-2021-36749", "lastModified": "2024-11-21T06:14:00.913", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-24T10:15:07.257", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be%40%3Cannounce.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d%40%3Cdev.druid.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "druid: HTTP InputSource allows authenticated users to read data from other sources (incomplete fix of CVE-2021-26920)", "id": "2007715", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007715"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.", "A flaw was found in druid. The HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the druid server process. The highest threat from this vulnerability is to data confidentiality. This vulnerability exists due to incomplete fix of CVE-2021-26920."], "name": "CVE-2021-36749", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2021-09-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-36749\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-36749\nhttps://lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be@%3Cannounce.apache.org%3E"], "statement": "OpenShift Container Platform (OCP) shipped Druid in the ose-metering-hive container, however InputSources such as HTTP and HDFS are not included, hence OCP is not affected by this vulnerability.", "threat_severity": "Moderate"}

{}