Apache Pinot, the high-performance real-time OLAP datastore originally developed by LinkedIn and Uber, has become a critical tool for organizations relying on low-latency analytics. However, a newly disclosed authentication bypass vulnerability (CVE-2024-56325, CVSS 9.8) raises serious security concerns, allowing remote attackers to gain unauthorized access to affected systems without authentication.
The vulnerability stems from insufficient neutralization of special characters in a URI within the AuthenticationFilter class. This flaw allows attackers to craft malicious requests that bypass the authentication mechanism, effectively granting them access to the system as if they were authenticated users.
The vulnerability was reported by Sunflower from the Knownsec 404 Team and disclosed by the Trend Micro Zero-Day Initiative (ZDI).
According to ZDI’s advisory, “The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system.”
Apache Pinot is widely used by organizations to power real-time analytics applications, including those handling sensitive information. The ability to bypass authentication could have severe consequences, enabling attackers to access, modify, or delete critical data.
The vulnerability was discovered by Sunflower@Knownsec 404 Team and has been addressed in Apache Pinot version 1.3.0. Users of Apache Pinot are strongly urged to update to the latest version to mitigate the risk of exploitation.
Related Posts:
- CVE-2024-39676: Apache Pinot Flaw Exposes Sensitive Data, Urgent Upgrade Needed
- Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update
- Actively Exploited Apache OFBiz Flaw Triggers Urgent Security Alert
