Apache Druid < 0.17.1 LDAP Injection

medium Nessus Plugin ID 181681

Synopsis

An application installed on the remote host is missing a vendor-supplied update.

Description

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Druid version 0.17.1 or later.

See Also

https://lists.apache.org/thread/lpx8vxt898k60pl308q1gqbvwj9w49f3

Plugin Details

Severity: Medium

ID: 181681

File Name: apache_druid_0_17_1.nasl

Version: 1.1

Type: remote

Family: Misc.

Published: 9/20/2023

Updated: 9/21/2023

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.7

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2020-1958

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:druid

Required KB Items: installed_sw/Apache Druid, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/1/2020

Vulnerability Publication Date: 4/1/2020

Reference Information

CVE: CVE-2020-1958