CVE-2021-36749 PoC — Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete

Title:Apache Druid: The HTTP inputSource allows authenticated users to read data from other sources than intended (incomplete fix of CVE-2021-26920) (CVE-2021-36749)
Description:In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

Apache Druid LoadData 任意文件读取漏洞 / Code By:Jun_sheng

# CVE-2021-36749

# Apache Druid LoadData 任意文件读取漏洞

## Code By:Jun_sheng @橘子网络安全实验室

橘子网络安全实验室 https://0range.team/

#### 0x00 风险概述

本工具仅限授权安全测试使用,禁止未授权非法攻击站点

在线阅读[《中华人民共和国网络安全法》](http://wglj.pds.gov.cn//upload/files/2020/4/1415254915.docx)

#### 0x01 工具使用

将资产整理后放入url.txt,命令行输入Python CVE-2021-26749.py

#### 0x02 Bug问题

Bug请提交Issues，有时间会看的。

#### 0x03 其他

这个脚本主要以练习编写代码为主要原因

 [4.0K]  /data/pocs/203f95918d2c744a0476adc5da2027e3f80e2af9
├── [4.1K]  CVE-2021-36749.py
├── [ 622]  README.md
└── [   1]  url.txt

0 directories, 3 files