CVE-2021-25646

Name of the Vulnerable Software and Affected Versions Apache Druid versions 0.20.0 and earlier

Description The issue allows an authenticated user to send a specially-crafted request that forces Apache Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process. Over 3,000 unique attacks have been detected in the past month, indicating an attacker testing phase. The Lucifer Botnet is exploiting this issue for cryptomining.

Recommendations For Apache Druid versions 0.20.0 and earlier, consider disabling the JavaScript execution functionality until a patch is available. As a temporary workaround, restrict access to the Druid server to minimize the risk of exploitation. Avoid using the JavaScript code execution feature in untrusted environments. At the moment, there is no information about a newer version that contains a fix for this vulnerability.