CVE-2022-26112 – org.apache.pinot:pinot

Package

Manager: maven
Name: org.apache.pinot:pinot
Vulnerable Version: >=0 <0.11.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00125 pctl0.32433

Details

Apache Pinot has Groovy Function support enabled by default Pinot allows you to run any function using Apache Groovy scripts. In versions prior to 0.10.0, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to groovy function support being enabled by default. This issue has been fixed by making function support disabled by default, in version 0.11.0. A potential workaround is to disable groovy script support.

Metadata

Created: 2022-09-25T00:00:26Z
Modified: 2025-05-28T19:33:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-qj9p-jvmw-82rh/GHSA-qj9p-jvmw-82rh.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-qj9p-jvmw-82rh
Finding: F422
Auto approve: 1