Pinot segment push endpoint has a vulnerability in unprotected environments
CVE-2022-23974

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Pinot
Vendor: CVE Published:; 5 April 2022

What is CVE-2022-23974?

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

Affected Version(s)

Apache Pinot Apache Pinot <= 0.9.3

References

https://lists.apache.org/thread/3dk8pf1n02p8oj2j3czbtchyj...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 5, 2022
Vulnerability Reserved
Jan 26, 2022

Credit

Apache Pinot would like to thank [email protected], Kuiplatain@knownsec and FA1C0N@RPO_OFFICIAL for reporting the issue