You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pinot.apache.org by Subbu Subramaniam <mc...@apache.org> on 2022/04/05 15:54:48 UTC

CVE-2022-23974: Apache Pinot: Pinot segment push endpoint has a vulnerability in unprotected environments

Description:

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service.

Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

Credit:

Apache Pinot would like to thank bubblegumkk@qq.com, Kuiplatain@knownsec and FA1C0N@RPO_OFFICIAL for reporting the issue


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pinot.apache.org
For additional commands, e-mail: dev-help@pinot.apache.org