一、 漏洞 CVE-2021-36749 基础信息
漏洞信息
                                        # Apache Druid:HTTP inputSource允许经过身份验证的用户读取预期之外的其他来源的数据(CVE-2021-26920的修补不完整)

## 漏洞概述
在Druid摄入系统中,HTTP InputSource允许经过身份验证的用户以Druid服务器进程的权限读取本地文件系统中的数据,这超出了预期的数据源。该问题发生在通过应用程序间接与Druid交互的场景中,用户可以通过指定HTTP InputSource来绕过应用程序级别的限制。

## 影响版本
- 0.21.0
- 0.21.1

## 细节
HTTP InputSource允许用户读取本地文件系统中的数据,而不仅仅是从此前指定的数据源读取数据。在用户通过应用程序间接与Druid交互的场景下,如果应用程序仅限制了Local InputSource而不限制HTTP InputSource,用户可以通过传递文件URL给HTTP InputSource来绕过这些限制。

## 影响
- 用户可以通过HTTP InputSource绕过应用程序级别的数据访问限制。
- 该漏洞曾在CVE-2021-26920中被提及并在0.21.0版本中声称已修复,但实际并未修复。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920)
来源:美国国家漏洞数据库 NVD
漏洞描述信息
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
Apache Druid 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Apache Druid是美国阿帕奇(Apache)基金会的一款使用Java语言编写的、面向列的开源分布式数据库。 Apache Druid 存在安全漏洞,该漏洞源于在 Druid ingestion system 中,InputSource 用于从某个数据源读取数据。但是,HTTP InputSource 允许经过身份验证的用户以 Druid 服务器进程的权限从其他来源读取数据,例如本地文件系统。 这不是用户直接访问 Druid 时的权限提升,因为 Druid 还提供了 Local InputSourc
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2021-36749 的公开POC
# POC 描述 源链接 神龙链接
1 Apache Druid 任意文件读取 https://github.com/BrucessKING/CVE-2021-36749 POC详情
2 None https://github.com/dorkerdevil/CVE-2021-36749 POC详情
3 CVE-2021-36749 Docker 漏洞复现 https://github.com/zwlsix/apache_druid_CVE-2021-36749 POC详情
4 Apache Druid LoadData 任意文件读取漏洞 / Code By:Jun_sheng https://github.com/Jun-5heng/CVE-2021-36749 POC详情
5 None https://github.com/hanch7274/CVE-2021-36749 POC详情
6 Apache Druid ingestion system is vulnerable to local file inclusion. The InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-36749.yaml POC详情
7 None https://github.com/Threekiii/Awesome-POC/blob/master/%E6%95%B0%E6%8D%AE%E5%BA%93%E6%BC%8F%E6%B4%9E/Apache%20Druid%20LoadData%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2021-36749.md POC详情
三、漏洞 CVE-2021-36749 的情报信息