GHSA-29f8-q7mf-7cqj

Source

https://github.com/advisories/GHSA-29f8-q7mf-7cqj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-29f8-q7mf-7cqj/GHSA-29f8-q7mf-7cqj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-29f8-q7mf-7cqj

Aliases

CVE-2022-23974

Published

2022-04-06T00:01:28Z

Modified

2023-11-08T04:08:28.629973Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Logic error in Apache Pinot

Details

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

Database specific

{
    "nvd_published_at": "2022-04-05T20:15:00Z",
    "github_reviewed_at": "2022-04-07T22:37:30Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-674"
    ]
}

References

Affected packages

Maven / org.apache.pinot:pinot

Package

Name: org.apache.pinot:pinot; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pinot/pinot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.10.0

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0

0.6.0

0.7.0

0.7.1

0.8.0

0.9.0

0.9.1

0.9.2

0.9.3