CVE-2024-39676

CWE-200 — Information Exposure4 documents4 sources

Severity

7.5HIGH

EPSS

0.4%

top 42.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Pinot Apache Pinot

Timeline

PublishedJul 24

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot. This issue affects Apache Pinot: from 0.1 before 1.0.0. Users are recommended to upgrade to version 1.0.0 and configure RBAC, which fixes the issue. Details: When using a request to path “/appconfigs” to the controller, it can lead to the disclosure of sensitive information such as system information (e.g. arch, os version), environment information (e.g. maxHeapSize) and Pinot configurations (e.g. zooke…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.pinot:pinot-controller0.1 — 1.0.0

▶NVDapache/pinot0.1.0 — 1.0.0

▶CVEListV5apache_software_foundation/apache_pinot0.1 — 1.0.0

🔴Vulnerability Details

CVEList

Apache Pinot: Unauthorized endpoint exposed sensitive information↗2024-07-24

▶

GHSA

Apache Pinot: Unauthorized endpoint exposed sensitive information↗2024-07-24

▶

OSV

Apache Pinot: Unauthorized endpoint exposed sensitive information↗2024-07-24

▶