Also, the credit for finding this CVE goes to L0ne1y. On Tue, Sep 17, 2024 at 11:29 PM Karan Kumar <ka...@apache.org> wrote:
> Severity: low > > Affected versions: > > - Apache Druid through 30.0.0 > > Description: > > Apache Druid allows users with certain permissions to read data from other > database systems using JDBC. This functionality allows trusted users to set > up Druid lookups or run ingestion tasks. Druid also allows administrators > to configure a list of allowed properties that users are able to provide > for their JDBC connections. By default, this allowed properties list > restricts users to TLS-related properties only. However, when configuration > a MySQL JDBC connection, users can use a particularly-crafted JDBC > connection string to provide properties that are not on this allow list. > > Users without the permission to configure JDBC connections are not able to > exploit this vulnerability. > CVE-2021-26919 describes a similar vulnerability which was partially > addressed in Apache Druid 0.20.2. > > This issue is fixed in Apache Druid 30.0.1. > > References: > > https://druid.apache.org > https://www.cve.org/CVERecord?id=CVE-2024-45537 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > For additional commands, e-mail: dev-h...@druid.apache.org > >
