Vulnerability in Apache Druid
CVE-2020-1958
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authent…
EPSS: 0.156 (94.8th percentile) — read the EPSS interpretation.
Affected products
- Apache Druid — versions 0.17.0
Public proof-of-concept exploits
References
- lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a9… (x_refsource_MISC)
- [druid-commits] 20200401 [GitHub] [druid] lgtm-com[bot] commented on issue #9600: Fix for [CVE-2020-1958] Apache Druid LDAP injection vulnerability (mailing-list, x_refsource_MLIST)
- [druid-commits] 20200401 [druid] branch master updated: Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600) (mailing-list, x_refsource_MLIST)
- [druid-commits] 20200401 [GitHub] [druid] jihoonson merged pull request #9600: Fix for [CVE-2020-1958] Apache Druid LDAP injection vulnerability (mailing-list, x_refsource_MLIST)
- [announce] 20200401 [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (mailing-list, x_refsource_MLIST)
- [druid-commits] 20200403 [GitHub] [druid] jon-wei opened a new pull request #9612: [Backport] Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600) (mailing-list, x_refsource_MLIST)
- [druid-commits] 20200404 [GitHub] [druid] clintropolis merged pull request #9612: [Backport] Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600) (mailing-list, x_refsource_MLIST)
- [druid-commits] 20200404 [druid] branch 0.18.0 updated: Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600) (#9612) (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-1958?
- CVE-2020-1958 is a vulnerability in Apache Druid. Published 2020-04-01.
- Is CVE-2020-1958 known to be exploited?
- 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.