Pinot query endpoint and the realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support
CVE-2022-26112

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Pinot
Vendor: CVE Published:; 23 September 2022

Summary

In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. In order to avoid this, we disabled the groovy function support by default from Pinot release 0.11.0. See https://docs.pinot.apache.org/basics/releases/0.11.0

Affected Version(s)

Apache Pinot Apache Pinot <= 0.10.0

References

https://lists.apache.org/thread/4pb0r12s2b68d78llk04yd8rh...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 23, 2022
Vulnerability Reserved
Feb 25, 2022

Credit

Apache Pinot would like to thank Haoruo Chen([email protected]) for reporting the issue