Vulnerability in Apache Software Foundation Druid
CVE-2021-26919
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain pro…
EPSS: 0.793 (99.1th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Druid — versions Apache Druid
Public proof-of-concept exploits
References
- lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0… (x_refsource_MISC)
- [druid-dev] 20210331 Regarding the 0.21.0 release (mailing-list, x_refsource_MLIST)
- [druid-dev] 20210401 Re: Subject: [CVE-2021-26919] Authenticated users can execute arbitrary code from malicious MySQL database systems (mailing-list, x_refsource_MLIST)
- [druid-commits] 20210401 [GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919 (mailing-list, x_refsource_MLIST)
- [druid-dev] 20210405 Regarding the CVSS score for CVE-2021-26919 (mailing-list, x_refsource_MLIST)
- [druid-dev] 20210405 Re: Regarding the CVSS score for CVE-2021-26919 (mailing-list, x_refsource_MLIST)
- [druid-commits] 20210412 [GitHub] [druid] jihoonson opened a new pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 (mailing-list, x_refsource_MLIST)
- [druid-commits] 20210412 [GitHub] [druid] jihoonson merged pull request #11100: [Backport] Allow list for JDBC connection properties to address CVE-2021-26919 (mailing-list, x_refsource_MLIST)
- [druid-dev] 20210414 Re: Regarding the CVSS score for CVE-2021-26919 (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2021-26919?
- CVE-2021-26919 is a vulnerability in Apache Software Foundation Druid. Published 2021-03-30.
- Is CVE-2021-26919 known to be exploited?
- 12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.