{"uuid": "7ad27a02-b231-4097-86f7-8aa07212adfb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-25646", "type": "seen", "source": "https://t.me/arpsyndicate/1556", "content": "#ExploitObserverAlert\n\nCVE-2021-25646\n\nDESCRIPTION: Exploit Observer has 74 entries related to CVE-2021-25646. Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.\n\nFIRST-EPSS: 0.972840000\nNVD-IS: 5.9\nNVD-ES: 2.8", "creation_timestamp": "2023-12-08T12:13:26.000000Z"}