CVE-2020-1958

Name of the Vulnerable Software and Affected Versions Apache Druid version 0.17.0

Description The issue allows callers of Druid APIs with valid LDAP credentials to bypass the credentialsValidator.userSearch filter, which determines if a valid LDAP user can authenticate with Druid. Although role-based authorization checks still apply if configured, callers can also retrieve any visible LDAP attribute values of users on the LDAP server without needing to be a valid LDAP user themselves.

Recommendations For Apache Druid version 0.17.0, consider disabling LDAP authentication until a patch is available to prevent bypassing the credentialsValidator.userSearch filter and unauthorized retrieval of LDAP attribute values. Restrict access to Druid APIs to minimize the risk of exploitation. Avoid using the credentialsValidator.userSearch filter in the affected API endpoints until the issue is resolved.