Apache Druid Vulnerable to Authentication Bypass
Affected Products and Versions Apache Druid Affected Versions: 0.17.0 through 35.x (all versions prior to 36.0.0) Prerequisites: * druid-basic-security extension enabled LDAP authenticator configured Underlying LDAP server permits anonymous bind Vulnerability Description An authentication bypass vulnerability exists in Apache Druid when using the druid-basic-security extension with LDAP authentication. If the underlying LDAP server is configured to allow anonymous binds, an attacker can bypass authentication by providing an existing username with …