[MAVEN:GHSA-JJ4F-P7VV-J4V9] Arbitrary code execution in Apache Druid

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2

Package	Affected Version
pkg:maven/org.apache.druid/druid	< 0.20.2

Package	Fixed Version
pkg:maven/org.apache.druid/druid	= 0.20.2

ID: MAVEN:GHSA-JJ4F-P7VV-J4V9
Severity: high
URL: https://github.com/advisories/GHSA-jj4f-p7vv-j4v9
Published: 2021-06-16T17:51:58
(3 years ago)
Modified: 2023-01-29T05:06:23
(19 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2021-26919
			https://github.com/apache/druid/commit/48953e3508967f5156c69676432b5d4dd25ea678
			https://github.com/apache/druid/releases/tag/druid-0.20.2
			https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E
			https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E
			https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f@%3Cdev.druid.apache.org%3E
			https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697@%3Cdev.druid.apache.org%3E
			https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc@%3Ccommits.druid.apache.org%3E
			https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110@%3Cdev.druid.apache.org%3E
			https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872@%3Ccommits.druid.apache.org%3E
			https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864@%3Ccommits.druid.apache.org%3E
			https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f@%3Cdev.druid.apache.org%3E
			https://github.com/advisories/GHSA-jj4f-p7vv-j4v9

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.druid/druid	org.apache.druid	druid	< 0.20.2
Fixed	pkg:maven/org.apache.druid/druid	org.apache.druid	druid	= 0.20.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date