===================================================================                            CERT-Renater

             Note d'Information No. 2022/VULN137
_____________________________________________________________________


DATE                 : 06/04/2022
HARDWARE PLATFORM(S ): /
OPERATING SYSTEM(S)  : Systems running Apache Pinot versions prior to

                                         0.10.0.

===================================================================https://lists.apache.org/thread/3dk8pf1n02p8oj2j3czbtchyjsf8khwr
_____________________________________________________________________

CVE-2022-23974: Apache Pinot: Pinot segment push endpoint has a
vulnerability in unprotected environments

Posted to dev@pinot.apache.org

Subbu Subramaniam - Tuesday, April 5, 2022 5:54:48 PM GMT+2

Description:

In 0.9.3 or older versions of Apache Pinot segment upload path allowed
segment directories to be imported into pinot tables. In pinot
installations that allow open access to the controller a specially
crafted request can potentially be exploited to cause disruption in
pinot service.

Pinot release 0.10.0 fixes this. See
https://docs.pinot.apache.org/basics/releases/0.10.0

Credit:

Apache Pinot would like to thank bubblegumkk@qq.com, Kuiplatain@knownsec
and FA1C0N@RPO_OFFICIAL for reporting the issue


========================================================+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
 + 75013 Paris        | email:cert@support.renater.fr   +
=======================================================
--------------NRcG90rGxEm8c8KT9dNAxQaX--