CVE-2022-23974: Logic error in Apache Pinot

April 5, 2022 (updated April 15, 2022)

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

References

docs.pinot.apache.org/basics/releases/0.10.0
github.com/advisories/GHSA-29f8-q7mf-7cqj
github.com/apache/pinot/pull/7969
lists.apache.org/thread/3dk8pf1n02p8oj2j3czbtchyjsf8khwr
nvd.nist.gov/vuln/detail/CVE-2022-23974

Code Behaviors & Features

Detect and mitigate CVE-2022-23974 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →