Apache Druid LoadData has an arbitrary file reading vulnerability

A security vulnerability exists in Apache Druid, a column-oriented open source distributed database written in Java by the Apache Foundation, which stems from the fact that InputSource is used to read data from a data source in the Druid ingestion system. However, the HTTP InputSource allows an authenticated user to read data from other sources, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privileges when the user accesses Druid directly, as Druid also provides Local InputSource, which allows the same level of access. But this is problematic when the user interacts with Druid indirectly through an application that allows the user to specify an HTTP InputSource instead of a Local InputSource. In this case, a user can bypass the application-level restrictions by passing the file URL to the HTTP InputSource. No details of the vulnerability are currently available.