Jihoon Son

Name of the Vulnerable Software and Affected Versions: Apache Druid versions prior to 0.20.2 Description: The issue allows an attacker to execute arbitrary code from a malicious MySQL server within Druid server processes due to certain properties in the MySQL JDBC driver. This functionality is intended for trusted users to set up lookups or submit ingestion tasks using JDBC to read data from other database systems. Recommendations: For versions prior to 0.20.2, update to Apache Druid 0.20.2 to address the issue. As a temporary workaround, consider restricting access to the MySQL JDBC driver properties to minimize the risk of exploitation.