Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
Published 2021-01-29 20:15:13
Updated 2022-07-12 17:42:04
View at NVD,   CVE.org
Vulnerability category: Execute code

Products affected by CVE-2021-25646

Exploit prediction scoring system (EPSS) score for CVE-2021-25646

97.33%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2021-25646

  • Apache Druid 0.20.0 Remote Command Execution
    Disclosure Date: 2021-01-21
    First seen: 2021-04-26
    exploit/linux/http/apache_druid_js_rce
    Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests; however, that feature is disabled by default. In Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted request th

CVSS scores for CVE-2021-25646

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
9.0
HIGH AV:N/AC:L/Au:S/C:C/I:C/A:C
8.0
10.0
NIST
8.8
HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2.8
5.9
NIST

References for CVE-2021-25646

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!