{"schema_version": "1.6.1", "id": "CVE-2021-25646", "summary": "Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.", "details": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.\n", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0.20.0 and earlier"}, {"last_affected": "0.20.0 and earlier"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E"}]}