CVE-2021-36749

Name of the Vulnerable Software and Affected Versions Druid versions prior to 0.21.0

Description The issue concerns the Druid ingestion system, specifically the HTTP InputSource, which allows authenticated users to read data from unintended sources, such as the local file system, with the privileges of the Druid server process. This is problematic when users interact with Druid indirectly through an application that restricts access to certain input sources. Users could bypass application-level restrictions by passing a file URL to the HTTP InputSource.

Recommendations For versions prior to 0.21.0, as a temporary workaround, consider restricting access to the HTTP InputSource to minimize the risk of exploitation. Avoid using the HTTP InputSource in applications that do not intend to allow access to the local file system. At the moment, there is no information about a newer version that contains a fix for this vulnerability.