cvelist/2021/26xxx/CVE-2021-26919.json

{
    "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2021-26919",
        "STATE": "PUBLIC",
        "TITLE": "Apache Druid Authenticated users can execute arbitrary code from malicious MySQL database systems."
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Apache Druid",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<=",
                                            "version_name": "Apache Druid",
                                            "version_value": "0.20.1"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "Apache Software Foundation"
                }
            ]
        }
    },
    "credit": [
        {
            "lang": "eng",
            "value": "This issue was discovered by fantasyC4t from the Ant FG Security Lab."
        }
    ],
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2"
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.0.9"
    },
    "impact": {},
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "Remote code execution"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "refsource": "MISC",
                "url": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E",
                "name": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E"
            },
            {
                "refsource": "MLIST",
                "name": "[druid-dev] 20210331 Regarding the 0.21.0 release",
                "url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E"
            }
        ]
    },
    "source": {
        "discovery": "UNKNOWN"
    },
    "work_around": [
        {
            "lang": "eng",
            "value": "Users should upgrade to Druid 0.20.2 and enable new Druid configurations to mitigate vulnerable MySQL JDBC properties.\nWhenever possible, network access to cluster machines should be restricted to trusted hosts only.\nEnsure that users have the minimum set of Druid permissions necessary, and are not granted access to functionality that they do not require."
        }
    ]
}
"-Synchronized-Data." 2021-02-09 08:00:54 +00:00			`{`
			`"CVE_data_meta": {`
Add CVE-2021-26919 2021-03-30 08:49:13 +01:00			`"ASSIGNER": "security@apache.org",`
"-Synchronized-Data." 2021-02-09 08:00:54 +00:00			`"ID": "CVE-2021-26919",`
Add CVE-2021-26919 2021-03-30 08:49:13 +01:00			`"STATE": "PUBLIC",`
			`"TITLE": "Apache Druid Authenticated users can execute arbitrary code from malicious MySQL database systems."`
"-Synchronized-Data." 2021-02-09 08:00:54 +00:00			`},`
Add CVE-2021-26919 2021-03-30 08:49:13 +01:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "Apache Druid",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "<=",`
			`"version_name": "Apache Druid",`
			`"version_value": "0.20.1"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "Apache Software Foundation"`
			`}`
			`]`
			`}`
			`},`
			`"credit": [`
			`{`
			`"lang": "eng",`
			`"value": "This issue was discovered by fantasyC4t from the Ant FG Security Lab."`
			`}`
			`],`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2021-02-09 08:00:54 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2021-03-30 08:00:40 +00:00			`"value": "Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2"`
Add CVE-2021-26919 2021-03-30 08:49:13 +01:00			`}`
			`]`
			`},`
			`"generator": {`
			`"engine": "Vulnogram 0.0.9"`
			`},`
			`"impact": {},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "Remote code execution"`
			`}`
			`]`
"-Synchronized-Data." 2021-02-09 08:00:54 +00:00			`}`
			`]`
Add CVE-2021-26919 2021-03-30 08:49:13 +01:00			`},`
			`"references": {`
			`"reference_data": [`
			`{`
"-Synchronized-Data." 2021-03-30 08:00:40 +00:00			`"refsource": "MISC",`
			`"url": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E",`
			`"name": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E"`
"-Synchronized-Data." 2021-03-31 20:00:40 +00:00			`},`
			`{`
			`"refsource": "MLIST",`
			`"name": "[druid-dev] 20210331 Regarding the 0.21.0 release",`
			`"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad@%3Cdev.druid.apache.org%3E"`
Add CVE-2021-26919 2021-03-30 08:49:13 +01:00			`}`
			`]`
			`},`
			`"source": {`
			`"discovery": "UNKNOWN"`
			`},`
			`"work_around": [`
			`{`
			`"lang": "eng",`
			`"value": "Users should upgrade to Druid 0.20.2 and enable new Druid configurations to mitigate vulnerable MySQL JDBC properties.\nWhenever possible, network access to cluster machines should be restricted to trusted hosts only.\nEnsure that users have the minimum set of Druid permissions necessary, and are not granted access to functionality that they do not require."`
			`}`
			`]`
"-Synchronized-Data." 2021-03-30 08:00:40 +00:00			`}`