Apache Pinot vulnerability: Sensitive Information Disclosure Due to Inadequate Access Control
CVE-2024-39676

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Pinot
Vendor: CVE Published:; 24 July 2024

Summary

Apache Pinot contains a vulnerability that exposes sensitive information to unauthorized users. Specifically, when a request is made to the '/appconfigs' path on the controller, critical system and environment data is revealed, including architecture details, operating system version, maximum heap size, and crucial Pinot configurations like the Zookeeper path. To mitigate this vulnerability, users are strongly encouraged to upgrade to version 1.0.0 and implement Role-based Access Control (RBAC) to restrict access to the '/appconfigs' endpoint and other associated APIs. Properly configuring RBAC ensures that only authorized personnel can view sensitive data, thereby enhancing the security of the Apache Pinot deployment.

Affected Version(s)

Apache Pinot 0.1 < 1.0.0

References

https://lists.apache.org/thread/hsm0b2w8qr0sqy4rj1mfnnw28...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 24, 2024
Vulnerability Reserved
Jun 27, 2024

Credit

Xun Bai <[email protected]>