CVE-2022-23974 – org.apache.pinot:pinot

Package

Manager: maven
Name: org.apache.pinot:pinot
Vulnerable Version: >=0 <0.10.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03726 pctl0.87531

Details

Logic error in Apache Pinot In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

Metadata

Created: 2022-04-06T00:01:28Z
Modified: 2022-04-17T15:34:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-29f8-q7mf-7cqj/GHSA-29f8-q7mf-7cqj.json
CWE IDs: ["CWE-674"]
Alternative ID: GHSA-29f8-q7mf-7cqj
Finding: F067
Auto approve: 1