Show filters

Showing topic results for "CVE-2021-25646":

(1-1 of 1)

Sort by:
Attacker Value
High

CVE-2021-25646

Disclosure Date: January 29, 2021 (last updated February 02, 2021)
Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.