Pinot segment push endpoint has a vulnerability in unprotected environments
CVE-2022-23974

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Pinot
Vendor: CVE Published:; 5 April 2022

Summary

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

Affected Version(s)

Apache Pinot Apache Pinot <= 0.9.3

References

https://lists.apache.org/thread/3dk8pf1n02p8oj2j3czbtchyj...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 5, 2022
Vulnerability Reserved
Jan 26, 2022

Credit

Apache Pinot would like to thank [email protected], Kuiplatain@knownsec and FA1C0N@RPO_OFFICIAL for reporting the issue