CVE-2022-23974

CWE-674Uncontrolled Recursion4 documents4 sources
Severity
7.5HIGH
EPSS
3.2%
top 12.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache PinotApache Software Foundation Apache Pinot
Timeline
PublishedApr 5
Latest updateApr 6

Description

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDapache/pinot< 0.10.0
Mavenorg.apache.pinot:pinot< 0.10.0
CVEListV5apache_software_foundation/apache_pinotApache Pinot0.9.3

🔴Vulnerability Details

3
OSV
Logic error in Apache Pinot2022-04-06
GHSA
Logic error in Apache Pinot2022-04-06
CVEList
Pinot segment push endpoint has a vulnerability in unprotected environments2022-04-05
CVE-2022-23974 (HIGH CVSS 7.5) | In 0.9.3 or older versions of Apach | cvebase.io