GHSA-qh2g-7h5p-mxf4 · Severity: medium · Ecosystem: maven — Credentials bypass in Apache Druid
When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based authorization checks, if configured. Callers of Druid APIs can also retrieve any LDAP attribute values of users that exist on the LDAP server, so long as that information is visible to the Druid server. This information disclosure does not require the caller itself to be a valid LDAP user.
Conclusion & alert: CVE-2020-1958 is rated Moderate Risk (52.6/100): CVSS Medium severity, with high exploitation likelihood (EPSS 4.57%, 90th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 15.57% | 4.57% | -11.00% |
| 2 | 2025-11-21 | 15.24% | 15.57% | +0.32% |
| 3 | 2025-11-18 | — | 15.24% | — |
Full EPSS history (20 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
| 3.5 | 2.0 | LOW |
|
6.8 | 2.9 | [email protected] |
GHSA-qh2g-7h5p-mxf4 · Severity: medium · Ecosystem: maven — Credentials bypass in Apache Druid
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2020-1958 |