Apache Druid Server-Side Request Forgery and Cross-Site Scripting Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability, along with improper input neutralization leading to Cross-Site Scripting (XSS) and Open Redirect issues, has been identified in Apache Druid. This vulnerability affects all versions prior to 31.0.2 and 32.0.1. When the Druid management proxy is enabled, a request with a specially crafted URL can be redirected to an arbitrary server, potentially allowing for XSS or Cross-Site Request Forgery (XSRF) attacks. Exploitation requires user authentication. The management proxy is enabled by default in Druid, but can be disabled to mitigate the vulnerability, although this may disrupt some web console features.

Impact

Exploitation of this vulnerability could lead to Server-Side Request Forgery, allowing an authenticated user to send requests to internal or external servers on behalf of the Druid server. This could be used to access or manipulate resources that are otherwise protected. The vulnerability also introduces Cross-Site Scripting risks, where an attacker could inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users are advised to upgrade to Apache Druid versions 31.0.2 or 32.0.1, which address this vulnerability. For those using Druid versions 29, the patch from version 32.0.1 can be applied locally. Alternatively, the management proxy can be disabled by setting 'druid.router.managementProxy.enabled' to false on the Router, or by blocking certain paths upstream of the Router.