Lucene search

GitHub Advisory DatabaseGHSA-QJ9P-JVMW-82RH

HistorySep 25, 2022 - 12:00 a.m.

Apache Pinot has Groovy Function support enabled by default

2022-09-2500:00:26

GitHub Advisory Database

github.com

apache pinot

groovy function

vulnerability

version 0.11.0

workaround

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

55.6%

JSON

Pinot allows you to run any function using Apache Groovy scripts. In versions prior to 0.10.0, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to groovy function support being enabled by default. This issue has been fixed by making function support disabled by default, in version 0.11.0. A potential workaround is to disable groovy script support.

Affected configurations

Vulners

Node

org.apache.pinotpinotRange<0.11.0

VendorProductVersionCPE
org.apache.pinotpinot*cpe:2.3:a:org.apache.pinot:pinot:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.pinot	pinot	*	cpe:2.3:a:org.apache.pinot:pinot::::::::

References

docs.pinot.apache.org/basics/releases/0.11.0

github.com/advisories/GHSA-qj9p-jvmw-82rh

github.com/apache/pinot/pull/8711

lists.apache.org/thread/4pb0r12s2b68d78llk04yd8rh3qk5t9h

nvd.nist.gov/vuln/detail/CVE-2022-26112

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

55.6%

JSON

Related for GHSA-QJ9P-JVMW-82RH