1923092 – (CVE-2021-25646) CVE-2021-25646 druid: Authenticated javascript code injection

Bug 1923092 (CVE-2021-25646) - CVE-2021-25646 druid: Authenticated javascript code injection

Summary: CVE-2021-25646 druid: Authenticated javascript code injection

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-25646
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1934593 1927410
Blocks:	1923093
TreeView+	depends on / blocked

Reported:	2021-02-01 12:07 UTC by Pedro Sampaio
Modified:	2021-10-28 08:43 UTC (History)
CC List:	14 users (show)
Fixed In Version:	druid 0.20.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-28 08:43:22 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-02-01 12:07:12 UTC

Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.

References:

http://www.openwall.com/lists/oss-security/2021/01/29/6
https://lists.apache.org/thread.html/r20e0c3b10ae2c05a3aad40f1476713c45bdefc32c920b9986b941d8f@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r64431c2b97209f566b5dff92415e7afba0ed3bfab4695ebaa8a62e5d@%3Cdev.druid.apache.org%3E
https://lists.apache.org/thread.html/rc167d5e57f3120578718a7a458ce3e73b3830ac4efbb1b085bd06b92@%3Cdev.druid.apache.org%3E
https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E

Comment 2 Przemyslaw Roguski 2021-02-10 16:39:51 UTC

Upstream fix:
https://github.com/apache/druid/commit/ae4b1920c53d34008ab55cfa2e368a8affad77a0

Comment 3 Przemyslaw Roguski 2021-02-10 16:39:54 UTC

External References:

https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E

Note You need to log in before you can comment on or make changes to this bug.