module
Apache Druid 0.20.0 Remote Command Execution
| Disclosed | Created |
|---|---|
| Jan 21, 2021 | Apr 26, 2021 |
Disclosed
Jan 21, 2021
Created
Apr 26, 2021
Description
Apache Druid includes the ability to execute user-provided JavaScript code embedded in
various types of requests; however, that feature is disabled by default.
In Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted request
that both enables the JavaScript code-execution feature and executes the supplied code all
at once, allowing for code execution on the server with the privileges of the Druid Server process.
More critically, authentication is not enabled in Apache Druid by default.
Tested on the following Apache Druid versions:
* 0.15.1
* 0.16.0-iap8
* 0.17.1
* 0.18.0-iap3
* 0.19.0-iap7
* 0.20.0-iap4.1
* 0.20.0
* 0.21.0-iap3
various types of requests; however, that feature is disabled by default.
In Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted request
that both enables the JavaScript code-execution feature and executes the supplied code all
at once, allowing for code execution on the server with the privileges of the Druid Server process.
More critically, authentication is not enabled in Apache Druid by default.
Tested on the following Apache Druid versions:
* 0.15.1
* 0.16.0-iap8
* 0.17.1
* 0.18.0-iap3
* 0.19.0-iap7
* 0.20.0-iap4.1
* 0.20.0
* 0.21.0-iap3
Authors
Litch1, Security Team of Alibaba Cloud
je5442804
je5442804
Platform
Linux,Unix
Architectures
x86, x64, cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.