druid-core is vulnerable to information disclosure. An attacker is able bypass the application-level restriction and read data from other sources than intended by passing a file URL to the HTTP InputSource.
www.openwall.com/lists/oss-security/2021/07/02/1
www.openwall.com/lists/oss-security/2021/09/24/1
github.com/apache/druid/commit/6b14bdb3a53d6aec45e485e6849956a69720ba3f
lists.apache.org/thread.html/r29e45561343cc5cf7d3290ee0b0e94e565faab19c20d022df9b5e29c%40%3Cdev.druid.apache.org%3E
lists.apache.org/thread.html/r304dfe56a5dfe1b2d9166b24d2c74ad1c6730338b20aef77a00ed2be@%3Cannounce.apache.org%3E
lists.apache.org/thread.html/r61aab724cf97d80da7f02d50e9af6de5c7c40dd92dab7518746fbaa2@%3Cannounce.apache.org%3E
lists.apache.org/thread.html/rc9400a70d0ec5cdb8a3486fc5ddb0b5282961c0b63e764abfbcb9f5d@%3Cdev.druid.apache.org%3E