What is the oldest Druid version with this vulnerability? On Fri, Jan 29, 2021 at 10:03 AM Jihoon Son <jihoon...@apache.org> wrote: > > Description: > > Apache Druid includes the ability to execute user-provided JavaScript > code embedded in various types of requests. This functionality is > intended for use in high-trust environments, and is disabled by > default. However, in Druid 0.20.0 and earlier, it is possible for an > authenticated user to send a specially-crafted request that forces > Druid to run user-provided JavaScript code for that request, > regardless of server configuration. This can be leveraged to execute > code on the target machine with the privileges of the Druid server > process. > > Mitigation: > > Users should upgrade to Druid 0.20.1. Whenever possible, network > access to cluster machines should be restricted to trusted hosts only. > > Credit: > > This issue was discovered by Litch1 from the Security Team of Alibaba Cloud. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org > For additional commands, e-mail: dev-h...@druid.apache.org >
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org For additional commands, e-mail: dev-h...@druid.apache.org
