Description

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

Remediation

References

https://lists.apache.org/thread/3dk8pf1n02p8oj2j3czbtchyjsf8khwr

Related Vulnerabilities

CVE-2023-37950 Vulnerability in maven package com.mabl.integration.jenkins:mabl-integration

CVE-2023-28668 Vulnerability in maven package org.jenkins-ci.plugins:role-strategy

CVE-2023-24997 Vulnerability in maven package org.apache.inlong:manager-pojo

CVE-2023-49656 Vulnerability in maven package org.jenkins-ci.plugins:matlab

CVE-2016-7103 Vulnerability in maven package org.webjars.bower:jquery-ui

Severity

High

Classification

CWE-674 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Mailing List Release Notes Vendor Advisory