An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with an empty password. This allows unauthorized access to otherwise restricted Druid resources without valid credentials.
The vulnerability stems from improper validation of LDAP authentication responses when anonymous binds are permitted, effectively treating anonymous bind success as valid user authentication. Risk to organizations includes unauthorized access to sensitive data stored in Druid datasources, execution of queries, potential data manipulation, and access to administrative interfaces.
This critical vulnerability has a CVSS score of 9.8, indicating high risk. Organizations should prioritize patching immediately.
Immediate mitigation can be achieved by disabling anonymous bind on the LDAP server, preventing exploitation of this vulnerability. Additionally, upgrading Apache Druid to version 36.0.0 or later is crucial to address this issue comprehensively.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)