{"containers": {"cna": {"affected": [{"product": "Apache Druid", "vendor": "Apache", "versions": [{"status": "affected", "version": "0.17.0"}]}], "descriptions": [{"lang": "en", "value": "When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user."}], "problemTypes": [{"descriptions": [{"description": "Unauthorized access and information disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-04T07:06:05", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E"}, {"name": "[druid-commits] 20200401 [GitHub] [druid] lgtm-com[bot] commented on issue #9600: Fix for [CVE-2020-1958] Apache Druid LDAP injection vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r1526dbce98a138629a41daa06c13393146ddcaf8f9d273cc49d57681%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200401 [druid] branch master updated: Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rffabc9e83cc2831bbee5db32b3965b84b09346a26ebc1012db63d28c%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200401 [GitHub] [druid] jihoonson merged pull request #9600: Fix for [CVE-2020-1958] Apache Druid LDAP injection vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r1c32c95543d44559b8d7fd89b0a85f728c80e8b715685bbf788a15a4%40%3Ccommits.druid.apache.org%3E"}, {"name": "[announce] 20200401 [CVE-2020-1958]: Apache Druid LDAP injection vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rf70876ecafb45b314eff9d040c5281c4adb0cb7771eb029448cfb79b%40%3Cannounce.apache.org%3E"}, {"name": "[druid-commits] 20200403 [GitHub] [druid] jon-wei opened a new pull request #9612: [Backport] Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r026540c617d334007810cd8f0068f617b5c78444be00a31fc1b03390%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200404 [GitHub] [druid] clintropolis merged pull request #9612: [Backport] Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r75e74d39c41c1b95a658b6a9f75fc6fd02b1d1922566a0ee4ee2fdfc%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200404 [druid] branch 0.18.0 updated: Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600) (#9612)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r47c90a378efdb3fd07ff7f74095b8eb63b3ca93b8ada5c2661c5e371%40%3Ccommits.druid.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2020-1958", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Druid", "version": {"version_data": [{"version_value": "0.17.0"}]}}]}, "vendor_name": "Apache"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Unauthorized access and information disclosure"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E"}, {"name": "[druid-commits] 20200401 [GitHub] [druid] lgtm-com[bot] commented on issue #9600: Fix for [CVE-2020-1958] Apache Druid LDAP injection vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1526dbce98a138629a41daa06c13393146ddcaf8f9d273cc49d57681@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200401 [druid] branch master updated: Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rffabc9e83cc2831bbee5db32b3965b84b09346a26ebc1012db63d28c@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200401 [GitHub] [druid] jihoonson merged pull request #9600: Fix for [CVE-2020-1958] Apache Druid LDAP injection vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1c32c95543d44559b8d7fd89b0a85f728c80e8b715685bbf788a15a4@%3Ccommits.druid.apache.org%3E"}, {"name": "[announce] 20200401 [CVE-2020-1958]: Apache Druid LDAP injection vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf70876ecafb45b314eff9d040c5281c4adb0cb7771eb029448cfb79b@%3Cannounce.apache.org%3E"}, {"name": "[druid-commits] 20200403 [GitHub] [druid] jon-wei opened a new pull request #9612: [Backport] Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r026540c617d334007810cd8f0068f617b5c78444be00a31fc1b03390@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200404 [GitHub] [druid] clintropolis merged pull request #9612: [Backport] Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r75e74d39c41c1b95a658b6a9f75fc6fd02b1d1922566a0ee4ee2fdfc@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200404 [druid] branch 0.18.0 updated: Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600) (#9612)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r47c90a378efdb3fd07ff7f74095b8eb63b3ca93b8ada5c2661c5e371@%3Ccommits.druid.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T06:54:00.299Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E"}, {"name": "[druid-commits] 20200401 [GitHub] [druid] lgtm-com[bot] commented on issue #9600: Fix for [CVE-2020-1958] Apache Druid LDAP injection vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r1526dbce98a138629a41daa06c13393146ddcaf8f9d273cc49d57681%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200401 [druid] branch master updated: Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rffabc9e83cc2831bbee5db32b3965b84b09346a26ebc1012db63d28c%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200401 [GitHub] [druid] jihoonson merged pull request #9600: Fix for [CVE-2020-1958] Apache Druid LDAP injection vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r1c32c95543d44559b8d7fd89b0a85f728c80e8b715685bbf788a15a4%40%3Ccommits.druid.apache.org%3E"}, {"name": "[announce] 20200401 [CVE-2020-1958]: Apache Druid LDAP injection vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rf70876ecafb45b314eff9d040c5281c4adb0cb7771eb029448cfb79b%40%3Cannounce.apache.org%3E"}, {"name": "[druid-commits] 20200403 [GitHub] [druid] jon-wei opened a new pull request #9612: [Backport] Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r026540c617d334007810cd8f0068f617b5c78444be00a31fc1b03390%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200404 [GitHub] [druid] clintropolis merged pull request #9612: [Backport] Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r75e74d39c41c1b95a658b6a9f75fc6fd02b1d1922566a0ee4ee2fdfc%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20200404 [druid] branch 0.18.0 updated: Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600) (#9612)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r47c90a378efdb3fd07ff7f74095b8eb63b3ca93b8ada5c2661c5e371%40%3Ccommits.druid.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-1958", "datePublished": "2020-04-01T21:48:33", "dateReserved": "2019-12-02T00:00:00", "dateUpdated": "2024-08-04T06:54:00.299Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:druid:0.17.0:*:*:*:*:*:*:*", "matchCriteriaId": "26A864B6-C649-4405-886A-82FA0C2399F8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user."}, {"lang": "es", "value": "Cuando la autenticaci\u00f3n LDAP est\u00e1 habilitada en Apache Druid versi\u00f3n 0.17.0, las personas que llaman desde las API de Druid con un conjunto v\u00e1lido de credenciales LDAP pueden omitir la barrera de filtro credentialsValidator.userSearch que determina si un usuario LDAP v\u00e1lido est\u00e1 habilitado para autenticarse con Druid. A\u00fan est\u00e1n sujetos a comprobaciones de autorizaci\u00f3n basadas en roles, si est\u00e1n configuradas. Las personas que llaman de las API de Druid tambi\u00e9n pueden recuperar cualquiera de los valores de atributo LDAP de los usuarios que existan en el servidor LDAP, siempre que esa informaci\u00f3n este visible para el servidor Druid. Esta divulgaci\u00f3n de informaci\u00f3n no requiere que la persona que llama sea un usuario LDAP v\u00e1lido."}], "id": "CVE-2020-1958", "lastModified": "2023-11-07T03:19:38.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-01T22:15:17.487", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r026540c617d334007810cd8f0068f617b5c78444be00a31fc1b03390%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r1526dbce98a138629a41daa06c13393146ddcaf8f9d273cc49d57681%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r1c32c95543d44559b8d7fd89b0a85f728c80e8b715685bbf788a15a4%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r47c90a378efdb3fd07ff7f74095b8eb63b3ca93b8ada5c2661c5e371%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r75e74d39c41c1b95a658b6a9f75fc6fd02b1d1922566a0ee4ee2fdfc%40%3Ccommits.druid.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rf70876ecafb45b314eff9d040c5281c4adb0cb7771eb029448cfb79b%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rffabc9e83cc2831bbee5db32b3965b84b09346a26ebc1012db63d28c%40%3Ccommits.druid.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "druid: Bypass of the credentialsValidator.userSearch filter in Druid API", "id": "1923082", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1923082"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-732->CWE-200", "details": ["When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user."], "name": "CVE-2020-1958", "package_state": [{"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-metering-hive", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2020-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-1958\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1958\nhttps://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E"], "statement": "In OpenShift Container Platform (OCP) the openshift4/ose-metering-hive container ships the vulnerable version of the druid package, but the vulnerable code (which is part of the druid security extensions) is not delivered, hence OCP component is not affected by this flaw.", "threat_severity": "Moderate", "upstream_fix": "druid 0.17.1"}