VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 1, 2020· Updated Aug 4, 2024

CVE-2020-1958

CVE-2020-1958

Description

Apache Druid 0.17.0 LDAP authentication flaw allows bypass of user search filter and unauthorized LDAP attribute disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Druid 0.17.0 LDAP authentication flaw allows bypass of user search filter and unauthorized LDAP attribute disclosure.

Vulnerability

Overview

CVE-2020-1958 affects Apache Druid 0.17.0 when LDAP authentication is enabled. The vulnerability stems from improper enforcement of the credentialsValidator.userSearch filter, which is intended to restrict which LDAP users can authenticate. An attacker with valid LDAP credentials can bypass this filter and authenticate to Druid, even if their LDAP entry does not match the configured search filter [1][2].

Exploitation

To exploit the authentication bypass, an attacker must possess valid credentials for any LDAP user visible to the Druid server. No prior authentication to Druid is required; simply providing the credentials in API calls suffices. Additionally, the vulnerability allows any caller—even those without valid LDAP credentials—to retrieve arbitrary LDAP attribute values of existing users, as long as the Druid server can query those attributes [1][3].

Impact

The primary impact is authentication bypass: an attacker who can authenticate as a valid LDAP user gains access to Druid APIs, though they remain subject to role-based authorization checks if configured. The secondary impact is information disclosure, as LDAP attributes (e.g., email, group membership) of any user can be retrieved without authentication. This could aid further attacks or expose sensitive data [1][2].

Mitigation

The issue has been fixed in Apache Druid versions after 0.17.0. Users should upgrade to a patched version. The fix was implemented in pull request #9600 and the corresponding commit [2][3]. No workarounds have been provided for older versions.

References
  1. NVD - CVE-2020-1958
  2. Fix for [CVE-2020-1958] Apache Druid LDAP injection vulnerability by jon-wei · Pull Request #9600 · apache/druid
  3. Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#… · apache/druid@dbaabdd

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.druid:druidMaven
>= 0.17.0, < 0.17.10.17.1

Affected products

2

Patches

1
dbaabdd24710

Fix for [CVE-2020-1958]: Apache Druid LDAP injection vulnerability (#9600)

https://github.com/apache/druidJonathan WeiApr 1, 2020via ghsa
commit
5 files changed · +122 1
  • extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java+46 1 modified
    @@ -189,9 +189,10 @@ SearchResult getLdapUserObject(BasicAuthLDAPConfig ldapConfig, DirContext contex
       SearchControls sc = new SearchControls();
       sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
       sc.setReturningAttributes(new String[] {ldapConfig.getUserAttribute(), "memberOf" });
+      String encodedUsername = encodeForLDAP(username, true);
       NamingEnumeration<SearchResult> results = context.search(
           ldapConfig.getBaseDn(),
-          StringUtils.format(ldapConfig.getUserSearch(), username),
+          StringUtils.format(ldapConfig.getUserSearch(), encodedUsername),
           sc);
       try {
         if (!results.hasMore()) {
@@ -293,4 +294,48 @@ public LdapUserPrincipal put(String key, LdapUserPrincipal value)
       }
     }
   }
+
+  /**
+   * This code is adapted from DefaultEncoder from version 2.2.0.0 of ESAPI (https://github.com/ESAPI/esapi-java-legacy)
+   */
+  public static String encodeForLDAP(String input, boolean encodeWildcards)
+  {
+    if (input == null) {
+      return null;
+    }
+    StringBuilder sb = new StringBuilder();
+    for (int i = 0; i < input.length(); i++) {
+      char c = input.charAt(i);
+
+      switch (c) {
+        case '\\':
+          sb.append("\\5c");
+          break;
+        case '/':
+          sb.append(("\\2f"));
+          break;
+        case '*':
+          if (encodeWildcards) {
+            sb.append("\\2a");
+          } else {
+            sb.append(c);
+          }
+
+          break;
+        case '(':
+          sb.append("\\28");
+          break;
+        case ')':
+          sb.append("\\29");
+          break;
+        case '\0':
+          sb.append("\\00");
+          break;
+        default:
+          sb.append(c);
+      }
+    }
+    return sb.toString();
+  }
+
 }
  • extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/LDAPCredentialsValidatorTest.java+47 0 added
    @@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.authentication.validator;
+
+import org.apache.druid.security.basic.authentication.validator.LDAPCredentialsValidator;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class LDAPCredentialsValidatorTest
+{
+  @Test
+  public void testEncodeForLDAP_noSpecialChars()
+  {
+    String input = "user1";
+    String encoded = LDAPCredentialsValidator.encodeForLDAP(input, true);
+    Assert.assertEquals(input, encoded);
+  }
+
+  @Test
+  public void testEncodeForLDAP_specialChars()
+  {
+    String input = "user1\\*()\0/user1";
+    String encodedWildcardTrue = LDAPCredentialsValidator.encodeForLDAP(input, true);
+    String encodedWildcardFalse = LDAPCredentialsValidator.encodeForLDAP(input, false);
+    String expectedWildcardTrue = "user1\\5c\\2a\\28\\29\\00\\2fuser1";
+    String expectedWildcardFalse = "user1\\5c*\\28\\29\\00\\2fuser1";
+    Assert.assertEquals(expectedWildcardTrue, encodedWildcardTrue);
+    Assert.assertEquals(expectedWildcardFalse, encodedWildcardFalse);
+  }
+}
  • LICENSE+7 0 modified
    @@ -307,6 +307,13 @@ SOURCE/JAVA-CORE
      which is available under a BSD-3-Clause License. For details, see licenses/src/porter-stemmer.BSD3.
       * processing/src/test/java/org/apache/druid/query/extraction/JavaScriptExtractionFnTest.java
 
+SOURCE/EXTENSIONS/druid-basic-security
+    This product contains an LDAP string encoding function from OWASP ESAPI, copyright The OWASP Foundation
+     (https://github.com/ESAPI/esapi-java-legacy) which is available under the BSD-3-Clause License. For details, see
+     licenses/src/esapi.BSD3.
+      * extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java
+
+
 Public Domain
 ================================
  • licenses/src/esapi.BSD3+11 0 added
    @@ -0,0 +1,11 @@
+The BSD License
+
+Copyright (c) 2007, The OWASP Foundation
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+Neither the name of the OWASP Foundation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  • licenses.yaml+11 0 modified
    @@ -146,6 +146,17 @@ source_paths:
 
 ---
 
+name: LDAP string encoding function from OWASP ESAPI
+license_category: source
+module: extensions/druid-basic-security
+license_name: BSD-3-Clause License
+copyright: The OWASP Foundation (https://github.com/ESAPI/esapi-java-legacy)
+license_file_path: licenses/src/esapi.BSD3
+source_paths:
+  - extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java
+
+---
+
 name: AWS SDK for Java
 license_category: binary
 module: java-core

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

19

News mentions

0

No linked articles in our index yet.