Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xajlwLWp2bXctODJyaM4AAvB5
Apache Pinot has Groovy Function support enabled by default
Pinot allows you to run any function using Apache Groovy scripts. In versions prior to 0.10.0, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to groovy function support being enabled by default. This issue has been fixed by making function support disabled by default, in version 0.11.0. A potential workaround is to disable groovy script support.
Permalink: https://github.com/advisories/GHSA-qj9p-jvmw-82rhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xajlwLWp2bXctODJyaM4AAvB5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-qj9p-jvmw-82rh, CVE-2022-26112
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-26112
- https://lists.apache.org/thread/4pb0r12s2b68d78llk04yd8rh3qk5t9h
- https://github.com/apache/pinot/pull/8711
- https://docs.pinot.apache.org/basics/releases/0.11.0
- https://github.com/advisories/GHSA-qj9p-jvmw-82rh
Blast Radius: 1.0
Affected Packages
maven:org.apache.pinot:pinot
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 0.11.0
Fixed in: 0.11.0
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0
All unaffected versions: 0.11.0, 0.12.0, 0.12.1, 1.0.0, 1.1.0