Lucene search

GitHub Advisory DatabaseGHSA-QH2G-7H5P-MXF4

HistoryFeb 09, 2022 - 10:05 p.m.

Credentials bypass in Apache Druid

2022-02-0922:05:39

CWE-74

CWE-200

GitHub Advisory Database

github.com

apache druid

ldap authentication

credentials bypass

security disclosure

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

71.5%

JSON

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user.

Affected configurations

Vulners

Node

org.apache.druiddruidMatch0.17.0

VendorProductVersionCPE
org.apache.druiddruid0.17.0cpe:2.3:a:org.apache.druid:druid:0.17.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.druid	druid	0.17.0	cpe:2.3:a:org.apache.druid:druid:0.17.0:::::::*

References

github.com/advisories/GHSA-qh2g-7h5p-mxf4

github.com/apache/druid/commit/dbaabdd24710fef726c5730c609937706f456a44#diff-fab6b7a8a160a405e787690201aade5462961550c97715ab18de6ad07a3edf7e

github.com/apache/druid/pull/9600#issuecomment-607497875

lists.apache.org/thread.html/r026540c617d334007810cd8f0068f617b5c78444be00a31fc1b03390@%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/r1526dbce98a138629a41daa06c13393146ddcaf8f9d273cc49d57681@%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/r1c32c95543d44559b8d7fd89b0a85f728c80e8b715685bbf788a15a4@%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/r47c90a378efdb3fd07ff7f74095b8eb63b3ca93b8ada5c2661c5e371@%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/r75e74d39c41c1b95a658b6a9f75fc6fd02b1d1922566a0ee4ee2fdfc@%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E

lists.apache.org/thread.html/rf70876ecafb45b314eff9d040c5281c4adb0cb7771eb029448cfb79b@%3Cannounce.apache.org%3E

lists.apache.org/thread.html/rffabc9e83cc2831bbee5db32b3965b84b09346a26ebc1012db63d28c@%3Ccommits.druid.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2020-1958

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.003

Percentile

71.5%

JSON

Related for GHSA-QH2G-7H5P-MXF4