CVE-2021-36749 in Druid
Summary
by MITRE • 09/24/2021
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/02/2021
The vulnerability described in CVE-2021-36749 represents a critical authorization bypass flaw within Apache Druid's ingestion system, specifically affecting the HTTP InputSource component. This vulnerability exists in the data ingestion pipeline where Druid processes external data sources through various InputSource implementations. The HTTP InputSource is designed to fetch data from remote HTTP endpoints, but due to insufficient validation mechanisms, it fails to properly restrict access to local file system resources. The flaw allows authenticated users to indirectly access local files through the HTTP InputSource by crafting malicious file URLs, effectively circumventing intended access controls that should prevent such cross-domain data retrieval.
The technical nature of this vulnerability stems from improper input validation and path traversal mechanisms within the HTTP InputSource implementation. When users specify a data source URL through the HTTP InputSource, the system should validate that the requested resource falls within acceptable boundaries. However, the vulnerability allows attackers to pass file:// URLs directly to the HTTP InputSource, which then processes these local file references as if they were remote HTTP endpoints. This misconfiguration enables privilege escalation through data access bypass, where the Druid server process executes with its own privileges rather than being restricted to the intended remote data sources. The vulnerability specifically affects scenarios where applications indirectly interact with Druid through HTTP InputSource interfaces while restricting direct access to Local InputSource, creating a dangerous gap in access control enforcement.
The operational impact of this vulnerability extends beyond simple unauthorized data access, as it enables potential data exfiltration and system reconnaissance capabilities. Attackers can leverage this flaw to read sensitive files from the Druid server's local file system, potentially accessing configuration files, database credentials, or other sensitive data that should remain protected. The vulnerability is particularly concerning in multi-tenant environments where different users may have varying levels of access to the ingestion system. The issue was initially reported as addressed in version 0.21.0 through CVE-2021-26920, but subsequent analysis revealed that the fix was incomplete, leaving systems running versions 0.21.0 and 0.21.1 still vulnerable to exploitation. This regression demonstrates the importance of thorough testing and validation of security patches, as well as the potential for incomplete remediation efforts to leave systems exposed.
Organizations affected by this vulnerability should implement immediate mitigations including restricting access to the HTTP InputSource where possible, implementing strict input validation for all data source URLs, and ensuring that only authorized users have access to ingestion endpoints. The vulnerability aligns with CWE-22 Path Traversal and CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component, both of which relate to improper handling of file paths and input validation. From an ATT&CK framework perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as it exploits legitimate authentication mechanisms to gain unauthorized access to system resources. System administrators should also consider implementing network segmentation to limit direct access to Druid ingestion endpoints and ensure that all Druid instances are updated to versions that properly address this vulnerability, as the incomplete fix in 0.21.0 and 0.21.1 creates a persistent risk for organizations that have not yet upgraded to patched versions.