Q: Is exploitation threshold high? (Auth/Config)

🔑 **Threshold**: **Medium**. Requires **Authentication**. ⚙️ **Config**: Users must be able to specify the **HTTP InputSource** in the ingestion task. Not direct privilege escalation, but indirect via app interaction.

Q: Is there a public Exp? (PoC/Wild Exploitation)

💣 **Exploit**: **Yes**, public PoCs exist. 📂 **GitHub**: Multiple repos (e.g., BrucessKING, Jun-5heng) provide curl commands and Python scripts. 🌐 **Wild Exploitation**: Likely, given simple curl-based PoCs.

Q: Is it fixed officially? (Patch/Mitigation)

🛠️ **Fix**: Upgrade to version **> 0.21.1**. 📢 **Official**: Apache announced the fix in mailing lists (CVE-2021-36749). 🔄 **Status**: Incomplete fix of previous CVE, so patch is critical.

Question 1

What is this vulnerability? (Essence + Consequences)

Accepted Answer

🚨 **Essence**: Apache Druid allows authenticated users to read local files via HTTP InputSource. 💥 **Consequences**: Arbitrary file read (e.g., /etc/passwd), data leakage, potential server compromise.…

Question 2

Root Cause? (CWE/Flaw)

Accepted Answer

🛡️ **Root Cause**: The **HTTP InputSource** in the ingestion system is misconfigured. It allows reading from unintended sources (like local file system) instead of just remote HTTP sources.…

Question 3

Who is affected? (Versions/Components)

Accepted Answer

🏢 **Vendor**: Apache Software Foundation. 📦 **Product**: Apache Druid. 📅 **Affected Versions**: Version **<= 0.21.1**. 🗓️ **Published**: 2021-09-24.

Question 4

What can hackers do? (Privileges/Data)

Accepted Answer

🕵️ **Action**: Hackers can read **any file** accessible by the Druid server process. 📂 **Data**: Local filesystem data (e.g., /etc/passwd, config files).…

Question 5

Is exploitation threshold high? (Auth/Config)

Accepted Answer

🔑 **Threshold**: **Medium**. Requires **Authentication**. ⚙️ **Config**: Users must be able to specify the **HTTP InputSource** in the ingestion task. Not direct privilege escalation, but indirect via app interaction.

Question 6

Is there a public Exp? (PoC/Wild Exploitation)

Accepted Answer

💣 **Exploit**: **Yes**, public PoCs exist. 📂 **GitHub**: Multiple repos (e.g., BrucessKING, Jun-5heng) provide curl commands and Python scripts. 🌐 **Wild Exploitation**: Likely, given simple curl-based PoCs.

Question 7

How to self-check? (Features/Scanning)

Accepted Answer

🔍 **Check**: Scan for Apache Druid on port **8888**. 🧪 **Test**: Send POST request to `/druid/indexer/v1/sampler?for=connect` with HTTP InputSource pointing to `file:///etc/passwd`.…

Question 8

Is it fixed officially? (Patch/Mitigation)

Accepted Answer

🛠️ **Fix**: Upgrade to version **> 0.21.1**. 📢 **Official**: Apache announced the fix in mailing lists (CVE-2021-36749). 🔄 **Status**: Incomplete fix of previous CVE, so patch is critical.

Question 9

What if no patch? (Workaround)

Accepted Answer

🚧 **Workaround**: If no patch, **restrict network access** to Druid ingestion endpoints. 🔒 **Auth**: Ensure strong authentication and limit who can submit ingestion tasks.…

Question 10

Is it urgent? (Priority Suggestion)

Accepted Answer

🔥 **Urgency**: **High**. 📉 **Risk**: Data leakage is severe. 🚀 **Priority**: Patch immediately if running <= 0.21.1. 📢 **Alert**: Public exploits make this easy to weaponize. Don't ignore!

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2021-36749 — AI Deep Analysis Summary

Q1What is this vulnerability? (Essence + Consequences)

Q2Root Cause? (CWE/Flaw)

Q3Who is affected? (Versions/Components)

Q4What can hackers do? (Privileges/Data)

Q5Is exploitation threshold high? (Auth/Config)

Q6Is there a public Exp? (PoC/Wild Exploitation)

Q7How to self-check? (Features/Scanning)

Q8Is it fixed officially? (Patch/Mitigation)

Q9What if no patch? (Workaround)

Q10Is it urgent? (Priority Suggestion)

Continue exploring