支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2021-25646 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
Apache Druid 访问控制错误漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
Apache Druid是美国阿帕奇软件(Apache)基金会的一款使用Java语言编写的、面向列的开源分布式数据库。 Apache Druid 0.20.0和更早的版本存在访问控制错误漏洞,该漏洞允许经过身份验证的用户强制Druid运行用户提供的JavaScript代码,并执行服务器进程特权的代码。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD
受影响产品
厂商产品影响版本CPE订阅
Apache Software FoundationApache Druid 0.20.0 and earlier ~ 0.20.0 -
二、漏洞 CVE-2021-25646 的公开POC
#POC 描述源链接神龙链接
1Apache Druid 远程代码执行;检测脚本https://github.com/yaunsky/cve-2021-25646POC详情
2Nonehttps://github.com/lp008/CVE-2021-25646POC详情
3CSharp CVE-2021-25646-GUIhttps://github.com/Ormicron/CVE-2021-25646-GUIPOC详情
4Nonehttps://github.com/Vulnmachines/Apache-Druid-CVE-2021-25646POC详情
5Alibaba-Nacos-Unauthorized/ApacheDruid-RCE_CVE-2021-25646/MS-Exchange-SSRF-CVE-2021-26885/Oracle-WebLogic-CVE-2021-2109_RCE/RG-CNVD-2021-14536/RJ-SSL-VPN-UltraVires/Redis-Unauthorized-RCE/TDOA-V11.7-GetOnlineCookie/VMware-vCenter-GetAnyFile/yongyou-GRP-U8-XXE/Oracle-WebLogic-CVE-2020-14883/Oracle-WebLogic-CVE-2020-14882/Apache-Solr-GetAnyFile/F5-BIG-IP-CVE-2021-22986/Sonicwall-SSL-VPN-RCE/GitLab-Graphql-CNVD-2021-14193/D-Link-DCS-CVE-2020-25078/WLAN-AP-WEA453e-RCE/360TianQing-Unauthorized/360TianQing-SQLinjection/FanWeiOA-V8-SQLinjection/QiZhiBaoLeiJi-AnyUserLogin/QiAnXin-WangKangFirewall-RCE/金山-V8-终端安全系统/NCCloud-SQLinjection/ShowDoc-RCEhttps://github.com/1n7erface/PocListPOC详情
6CVE-2021-25646 Apache Druid 远程代码执行漏洞 Wker脚本https://github.com/givemefivw/CVE-2021-25646POC详情
7Apache Druid remote code execution vulnerability - Apache Druid 远程代码执行漏洞利用 CVE-2021-25646https://github.com/j2ekim/CVE-2021-25646POC详情
8CVE-2021-25646 Apache Druid 远程代码执行 漏洞检测和利用工具https://github.com/luobai8/CVE-2021-25646-expPOC详情
9Apache Druid 远程代码执行复现(CVE-2021-25646)https://github.com/gps1949/CVE-2021-25646POC详情
10Apache Druid is susceptible to remote code execution because by default it lacks authorization and authentication. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-25646.yamlPOC详情
11Nonehttps://github.com/Threekiii/Awesome-POC/blob/master/%E6%95%B0%E6%8D%AE%E5%BA%93%E6%BC%8F%E6%B4%9E/Apache%20Druid%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2021-25646.mdPOC详情
12Nonehttps://github.com/Threekiii/Awesome-POC/blob/master/%E6%95%B0%E6%8D%AE%E5%BA%93%E6%BC%8F%E6%B4%9E/Apache%20Druid%20%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2021-25646.mdPOC详情
13https://github.com/vulhub/vulhub/blob/master/apache-druid/CVE-2021-25646/README.mdPOC详情
14CVE-2021-25646 Apache Druid 远程代码执行 漏洞检测和利用工具https://github.com/k7pro/CVE-2021-25646-expPOC详情
15A proof-of-concept for the CVE-2021-25646, which allows for Command Injectionhttps://github.com/tiemio/RCE-PoC-CVE-2021-25646POC详情
16Exploit for Apache Druid Embedded Javascript Remote Code Execution (CVE-2021-25646), Python.https://github.com/ShadowLance2/Apache-Druid-CVE-2021-25646-ExploitPOC详情
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC
三、漏洞 CVE-2021-25646 的情报信息
Please 登录 to view more intelligence information
四、漏洞 CVE-2021-25646 的评论

暂无评论

发表评论