Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-56325

CWE-2885 documents5 sources
Severity
9.8CRITICAL
EPSS
20.0%
top 4.52%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache Software Foundation Apache PinotApache Pinot
Timeline
PublishedApr 1

Description

Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users Return: {"code":401,"error":"HTTP 401 Unauthorized"} Malicious Request and Response Exa

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

NVDapache/pinot< 1.3.0

🔴Vulnerability Details

3
GHSA
Apache Pinot Vulnerable to Authentication Bypass2025-04-01
OSV
Apache Pinot Vulnerable to Authentication Bypass2025-04-01
CVEList
Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required2025-04-01

💥Exploits & PoCs

1
Nuclei
Apache Pinot < 1.3.0 - Authentication Bypass
CVE-2024-56325 (CRITICAL CVSS 9.8) | Authentication Bypass Issue If the | cvebase.io