{"id":"CVE-2020-1958","details":"When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user.","aliases":["GHSA-qh2g-7h5p-mxf4"],"modified":"2026-04-10T04:24:15.634254Z","published":"2020-04-01T22:15:17.487Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rffabc9e83cc2831bbee5db32b3965b84b09346a26ebc1012db63d28c%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r026540c617d334007810cd8f0068f617b5c78444be00a31fc1b03390%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1526dbce98a138629a41daa06c13393146ddcaf8f9d273cc49d57681%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1c32c95543d44559b8d7fd89b0a85f728c80e8b715685bbf788a15a4%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r47c90a378efdb3fd07ff7f74095b8eb63b3ca93b8ada5c2661c5e371%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r75e74d39c41c1b95a658b6a9f75fc6fd02b1d1922566a0ee4ee2fdfc%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf70876ecafb45b314eff9d040c5281c4adb0cb7771eb029448cfb79b%40%3Cannounce.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r9d437371793b410f8a8e18f556d52d4bb68e18c537962f6a97f4945e%40%3Cdev.druid.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/druid","events":[{"introduced":"0"},{"last_affected":"f37b9842f22c0a243a5811ac7e887cc188291ef1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.17.0"}]}}],"versions":["druid-0.1.0","druid-0.1.1","druid-0.1.10","druid-0.1.11","druid-0.1.12","druid-0.1.13","druid-0.1.14","druid-0.1.2","druid-0.1.3","druid-0.1.4","druid-0.1.6","druid-0.1.7","druid-0.1.8","druid-0.1.9","druid-0.17.0","druid-0.17.0-rc1","druid-0.3.10","druid-0.3.11","druid-0.3.12","druid-0.3.13","druid-0.3.14","druid-0.3.15","druid-0.3.16","druid-0.3.18","druid-0.3.20","druid-0.3.21","druid-0.3.22","druid-0.3.24","druid-0.3.25","druid-0.3.27","druid-0.3.28","druid-0.3.29","druid-0.3.30","druid-0.3.31","druid-0.3.32","druid-0.3.33","druid-0.3.34","druid-0.3.4","druid-0.3.5","druid-0.3.6","druid-0.4.0","druid-0.4.1","druid-0.4.10","druid-0.4.11","druid-0.4.12","druid-0.4.15","druid-0.4.16","druid-0.4.17","druid-0.4.18","druid-0.4.19","druid-0.4.2","druid-0.4.20","druid-0.4.21","druid-0.4.22","druid-0.4.23","druid-0.4.24","druid-0.4.25","druid-0.4.26","druid-0.4.27","druid-0.4.28","druid-0.4.29","druid-0.4.3","druid-0.4.30","druid-0.4.31","druid-0.4.32","druid-0.4.5","druid-0.4.6","druid-0.4.7","druid-0.4.8","druid-0.4.9","druid-0.5.0","druid-0.5.1","druid-0.5.10","druid-0.5.11","druid-0.5.13","druid-0.5.14","druid-0.5.15","druid-0.5.16","druid-0.5.17","druid-0.5.18","druid-0.5.19","druid-0.5.2","druid-0.5.20","druid-0.5.21","druid-0.5.22","druid-0.5.23","druid-0.5.24","druid-0.5.25","druid-0.5.26","druid-0.5.27","druid-0.5.29","druid-0.5.3","druid-0.5.30","druid-0.5.31","druid-0.5.32","druid-0.5.33","druid-0.5.34","druid-0.5.35","druid-0.5.38","druid-0.5.39","druid-0.5.41","druid-0.5.42","druid-0.5.43","druid-0.5.44","druid-0.5.45","druid-0.5.46","druid-0.5.47","druid-0.5.48","druid-0.5.49","druid-0.5.5","druid-0.5.51","druid-0.5.52","druid-0.5.53","druid-0.5.54","druid-0.5.56","druid-0.5.57","druid-0.5.58","druid-0.5.7","druid-0.5.8","druid-0.5.9","druid-0.6.0","druid-0.6.1","druid-0.6.10","druid-0.6.100","druid-0.6.101","druid-0.6.102","druid-0.6.103","druid-0.6.104","druid-0.6.105","druid-0.6.106","druid-0.6.107","druid-0.6.108","druid-0.6.109","druid-0.6.11","druid-0.6.110","druid-0.6.111","druid-0.6.112","druid-0.6.113","druid-0.6.114","druid-0.6.115","druid-0.6.116","druid-0.6.117","druid-0.6.118","druid-0.6.119","druid-0.6.12","druid-0.6.120","druid-0.6.121","druid-0.6.122","druid-0.6.123","druid-0.6.124","druid-0.6.125","druid-0.6.126","druid-0.6.127","druid-0.6.128","druid-0.6.129","druid-0.6.13","druid-0.6.130","druid-0.6.131","druid-0.6.132","druid-0.6.133","druid-0.6.134","druid-0.6.135","druid-0.6.136","druid-0.6.137","druid-0.6.138","druid-0.6.139","druid-0.6.14","druid-0.6.140","druid-0.6.141","druid-0.6.142","druid-0.6.143","druid-0.6.144","druid-0.6.145","druid-0.6.146","druid-0.6.147","druid-0.6.148","druid-0.6.149","druid-0.6.15","druid-0.6.150","druid-0.6.151","druid-0.6.152","druid-0.6.153","druid-0.6.154","druid-0.6.155","druid-0.6.156","druid-0.6.157","druid-0.6.158","druid-0.6.159","druid-0.6.16","druid-0.6.160","druid-0.6.17","druid-0.6.18","druid-0.6.19","druid-0.6.2","druid-0.6.20","druid-0.6.21","druid-0.6.22","druid-0.6.23","druid-0.6.24","druid-0.6.25","druid-0.6.26","druid-0.6.27","druid-0.6.28","druid-0.6.29","druid-0.6.3","druid-0.6.30","druid-0.6.31","druid-0.6.32","druid-0.6.33","druid-0.6.34","druid-0.6.35","druid-0.6.36","druid-0.6.37","druid-0.6.38","druid-0.6.39","druid-0.6.4","druid-0.6.40","druid-0.6.41","druid-0.6.42","druid-0.6.45","druid-0.6.46","druid-0.6.47","druid-0.6.48","druid-0.6.49","druid-0.6.5","druid-0.6.50","druid-0.6.51","druid-0.6.52","druid-0.6.53","druid-0.6.54","druid-0.6.55","druid-0.6.56","druid-0.6.57","druid-0.6.58","druid-0.6.59","druid-0.6.60","druid-0.6.61","druid-0.6.62","druid-0.6.63","druid-0.6.64","druid-0.6.65","druid-0.6.66","druid-0.6.68","druid-0.6.69","druid-0.6.7","druid-0.6.70","druid-0.6.71","druid-0.6.72","druid-0.6.73","druid-0.6.74","druid-0.6.75","druid-0.6.76","druid-0.6.77","druid-0.6.78","druid-0.6.79","druid-0.6.8","druid-0.6.81","druid-0.6.82","druid-0.6.83","druid-0.6.84","druid-0.6.85","druid-0.6.86","druid-0.6.87","druid-0.6.88","druid-0.6.89","druid-0.6.9","druid-0.6.90","druid-0.6.91","druid-0.6.92","druid-0.6.93","druid-0.6.94","druid-0.6.95","druid-0.6.96","druid-0.6.97","druid-0.6.98","druid-0.6.99","druid-0.7.0","druid-0.7.0-rc1","druid-0.7.0-rc2","druid-0.7.0-rc3","druid-0.7.1","druid-0.7.1-rc1","druid-0.8.0-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1958.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}