CVE-2024-45537

Apache Druid allows users with certain permissions to read data from other database systems using JDBC. This functionality allows trusted users to set up Druid lookups or run ingestion tasks. Druid also allows administrators to configure a list of allowed properties that users are able to provide for their JDBC connections. By default, this allowed properties list restricts users to TLS-related properties only. However, when configuration a MySQL JDBC connection, users can use a particularly-crafted JDBC connection string to provide properties that are not on this allow list. Users without the permission to configure JDBC connections are not able to exploit this vulnerability. CVE-2021-26919 describes a similar vulnerability which was partially addressed in Apache Druid 0.20.2. This issue is fixed in Apache Druid 30.0.1.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/2ovx1t77y6tlkhk5b42clp4vwo4c8cjv	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:druid:*:*:*:*:*:*:*:*

History

01 Oct 2024, 20:41

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:druid::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Apache Apache druid
CWE	~~CWE-20~~	NVD-CWE-noinfo
References	~~() https://lists.apache.org/thread/2ovx1t77y6tlkhk5b42clp4vwo4c8cjv -~~	() https://lists.apache.org/thread/2ovx1t77y6tlkhk5b42clp4vwo4c8cjv - Vendor Advisory

17 Sep 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-17 19:15

Updated : 2025-03-14 15:15

NVD link : CVE-2024-45537

Mitre link : CVE-2024-45537

JSON object : View

Products Affected

apache

druid

CWE

NVD-CWE-noinfo

6.5 /10