CVE-2021-26920

Name of the Vulnerable Software and Affected Versions Apache Druid (affected versions not specified)

Description The issue is related to weaknesses in the authorization mechanism of Apache Druid's analytical database. It allows remote attackers to gain unauthorized access to protected information. Specifically, in the Druid ingestion system, the HTTP InputSource allows authenticated users to read data from unintended sources, such as the local file system, with the privileges of the Druid server process. This can be problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource but not the Local InputSource, enabling them to bypass application-level restrictions by passing a file URL to the HTTP InputSource.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.