CVE-2021-26919

Apache Druid Authenticated users can execute arbitrary code from malicious MySQL database systems.

Description

Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2

Remediation

Workaround:

  • Users should upgrade to Druid 0.20.2 and enable new Druid configurations to mitigate vulnerable MySQL JDBC properties. Whenever possible, network access to cluster machines should be restricted to trusted hosts only. Ensure that users have the minimum set of Druid permissions necessary, and are not granted access to functionality that they do not require.
8.8
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 75.97% Top 5%
Vendor Advisory apache.org
Affected: Apache Software Foundation Apache Druid
Published at:
Updated at:

References

Link Tags
https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E vendor advisory mailing list
https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E mailing list
https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110%40%3Cdev.druid.apache.org%3E mailing list
https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc%40%3Ccommits.druid.apache.org%3E mailing list
https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697%40%3Cdev.druid.apache.org%3E mailing list
https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f%40%3Cdev.druid.apache.org%3E mailing list
https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864%40%3Ccommits.druid.apache.org%3E mailing list
https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872%40%3Ccommits.druid.apache.org%3E mailing list
https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f%40%3Cdev.druid.apache.org%3E mailing list

Frequently Asked Questions

What is the severity of CVE-2021-26919?
CVE-2021-26919 has been scored as a high severity vulnerability.
How to fix CVE-2021-26919?
As a workaround for remediating CVE-2021-26919: Users should upgrade to Druid 0.20.2 and enable new Druid configurations to mitigate vulnerable MySQL JDBC properties. Whenever possible, network access to cluster machines should be restricted to trusted hosts only. Ensure that users have the minimum set of Druid permissions necessary, and are not granted access to functionality that they do not require.
Is CVE-2021-26919 being actively exploited in the wild?
It is possible that CVE-2021-26919 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~76% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-26919?
CVE-2021-26919 affects Apache Software Foundation Apache Druid.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.