Severity: low

Affected versions:

- Apache Druid through 30.0.0

Description:

Apache Druid allows users with certain permissions to read data from other 
database systems using JDBC. This functionality allows trusted users to set up 
Druid lookups or run ingestion tasks. Druid also allows administrators to 
configure a list of allowed properties that users are able to provide for their 
JDBC connections. By default, this allowed properties list restricts users to 
TLS-related properties only. However, when configuration a MySQL JDBC 
connection, users can use a particularly-crafted JDBC connection string to 
provide properties that are not on this allow list.

Users without the permission to configure JDBC connections are not able to 
exploit this vulnerability.
CVE-2021-26919 describes a similar vulnerability which was partially addressed 
in Apache Druid 0.20.2.

This issue is fixed in Apache Druid 30.0.1.

References:

https://druid.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-45537


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org
For additional commands, e-mail: dev-h...@druid.apache.org

Reply via email to