#VU26577 LDAP injection in Apache Druid


Published: 2020-06-03

Vulnerability identifier: #VU26577

Vulnerability risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-1958

CWE-ID: CWE-90

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Apache Druid
Server applications / Database software

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper input validation when processing DLAP queries.A remote non-authenticated user can use Druid API to retrieve any LDAP attribute values of users that exist on the LDAP server. A remote attacker with a valid set of LDAP credentials can send a specially crafted request to the Druid API and bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid.

Successful exploitation of this vulnerability may allow an attacker to gain access to sensitive information and to escalate privileges within the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Druid: 0.17.0 - 0.17.0 rc1

External links
http://lists.apache.org/thread.html/r026540c617d334007810cd8f0068f617b5c78444be00a31fc1b03390@%3Ccommits.druid.apache.org%3E
http://lists.apache.org/thread.html/r1526dbce98a138629a41daa06c13393146ddcaf8f9d273cc49d57681@%3Ccommits.druid.apache.org%3E
http://lists.apache.org/thread.html/r1c32c95543d44559b8d7fd89b0a85f728c80e8b715685bbf788a15a4@%3Ccommits.druid.apache.org%3E
http://lists.apache.org/thread.html/r47c90a378efdb3fd07ff7f74095b8eb63b3ca93b8ada5c2661c5e371@%3Ccommits.druid.apache.org%3E
http://lists.apache.org/thread.html/r75e74d39c41c1b95a658b6a9f75fc6fd02b1d1922566a0ee4ee2fdfc@%3Ccommits.druid.apache.org%3E
http://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E
http://lists.apache.org/thread.html/rf70876ecafb45b314eff9d040c5281c4adb0cb7771eb029448cfb79b@%3Cannounce.apache.org%3E
http://lists.apache.org/thread.html/rffabc9e83cc2831bbee5db32b3965b84b09346a26ebc1012db63d28c@%3Ccommits.druid.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


LDAP injection in Apache Druid