CVE-2024-45537

Name of the Vulnerable Software and Affected Versions: Apache Druid versions prior to 30.0.1

Description: The issue allows users with certain permissions to bypass restrictions on JDBC connections, potentially reading data from other database systems. This is possible by crafting a specific JDBC connection string when configuring a MySQL connection, allowing users to provide properties not on the allowed list. The functionality in question is used for setting up Druid lookups or running ingestion tasks. Users without the permission to configure JDBC connections cannot exploit this issue.

Recommendations: For versions prior to 30.0.1, update to Apache Druid 30.0.1 to resolve the issue. As a temporary workaround, consider restricting the configuration of JDBC connections to trusted administrators only, and ensure that the allowed properties list is carefully reviewed and restricted to necessary properties.