H3-2021-0041
Apache Druid Server-Side Request Forgery Vulnerability
Category | SECURITY_MISCONFIGURATION |
Base Score | 7.0 |
Description
Apache Druid, by default, allows an unauthenticated user to control the parameters within a specially crafted url.
Impact
An unauthenticated attacker can make the Druid server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the network.