CVE-2021-26919 — Arbitrary code execution in Apache Druid

Description

Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2

How to fix CVE-2021-26919

To remediate CVE-2021-26919, upgrade the affected package to a fixed version below.

—upgrade to 0.20.2 or later

Is CVE-2021-26919 being exploited?

Likely — EPSS is 79.3%, placing CVE-2021-26919 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 0.20.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-26919
PATCHgithub.com/apache/druid
WEBgithub.com/apache/druid/commit/48953e3508967f5156c69676432b5d4dd25ea678
WEBgithub.com/apache/druid/releases/tag/druid-0.20.2