Main Vulnerability Database SB2021092404

SB2021092404 - Security restrictions bypass in Apache Druid

Published: September 24, 2021 Updated: October 14, 2021

Security Bulletin ID SB2021092404

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Security restrictions bypass (CVE-ID: CVE-2021-36749)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to a design error in the HTTP InputSource method, which allows a remote authenticated user to view contents of local files on the system.

Note, the vulnerability exists due to incomplete fix for #VU54554 (CVE-2021-26920).

Remediation

Install update from vendor's website.

References

http://seclists.org/oss-sec/2021/q3/186