CVE-2021-36749

CVE-2021-36749 is a medium-severity vulnerability in Apache Druid with a CVSS 3.x base score of 6.5. Its EPSS exploit-prediction score of 81% places it in the 100th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-863.

Key facts

Description

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

Frequently asked questions

What is CVE-2021-36749?
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.
How severe is CVE-2021-36749?
CVE-2021-36749 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
Is CVE-2021-36749 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 81% (100th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2021-36749?
CVE-2021-36749 affects Apache Druid. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-36749?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2021-36749 published?
CVE-2021-36749 was published on 2021-09-24 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Apache Druid

All CVEs affecting Apache Druid →

Other CWE-863 (Incorrect Authorization) vulnerabilities

Browse all CWE-863 (Incorrect Authorization) vulnerabilities →