CVE-2020-1958 : Security Advisory and Response
Learn about CVE-2020-1958 impacting Apache Druid 0.17.0. Discover how the LDAP authentication bypass allows unauthorized access to LDAP attribute values and the necessary mitigation steps.
Apache Druid LDAP Injection Vulnerability
Understanding CVE-2020-1958
Apache Druid version 0.17.0 is affected by an LDAP authentication bypass vulnerability, allowing users with valid LDAP credentials to surpass security filters.
What is CVE-2020-1958?
When LDAP authentication is enabled in Apache Druid 0.17.0, authenticated callers can bypass the credentialsValidator.userSearch filter barrier that validates LDAP user authenticity. This flaw allows unauthorized access and information disclosure, exposing LDAP attribute values without proper authentication.
The Impact of CVE-2020-1958
The vulnerability leads to unauthorized access to LDAP attribute values. Though subject to role-based authorization checks, the flaw can potentially compromise sensitive information stored on the LDAP server.
Technical Details of CVE-2020-1958
Vulnerability Description
- Authenticated users can bypass LDAP authentication verification in Apache Druid 0.17.0
- Unauthorized access to LDAP attribute values is possible
Affected Systems and Versions
- Product: Apache Druid
- Vendor: Apache
- Version: 0.17.0
Exploitation Mechanism
The flaw allows users with valid LDAP credentials to evade security filters, potentially accessing and retrieving LDAP attribute values without proper authorization.
Mitigation and Prevention
Immediate Steps to Take
- Disable LDAP authentication if not essential
- Apply vendor-supplied patches or updates promptly
Long-Term Security Practices
- Regularly review and update LDAP server configurations
- Implement strict access controls and authentication mechanisms
Patching and Updates
- Apache Druid released fixes for CVE-2020-1958, apply the latest security updates to remediate the vulnerability