CVE-2020-1958

MEDIUM

Apache Druid 0.17.0 - Authentication Bypass and Information Disclosure via LDAP User Search

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-1958. PoCs published by ggolawski.

AI-analyzed exploit summary This PoC demonstrates LDAP injection in Apache Druid 0.17.0, allowing unauthorized enumeration of LDAP users and retrieval of arbitrary LDAP attributes via crafted authentication requests.

Description

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user.

Exploits (1)

nomisec WORKING POC 22 stars
by ggolawski · poc
https://github.com/ggolawski/CVE-2020-1958

This PoC demonstrates LDAP injection in Apache Druid 0.17.0, allowing unauthorized enumeration of LDAP users and retrieval of arbitrary LDAP attributes via crafted authentication requests.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Apache Druid 0.17.0
No auth needed
Prerequisites: Druid server with LDAP authentication enabled · Network access to the Druid server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References

Scores

CVSS v3 6.5
EPSS 0.0457
EPSS Percentile 90.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-74
Status published
Products (2)
apache/druid 0.17.0
org.apache.druid/druid 0.17.0 - 0.17.1Maven
Published Apr 01, 2020
Tracked Since Feb 18, 2026