{"schema_version": "1.6.1", "id": "CVE-2022-23974", "summary": "Pinot segment push endpoint has a vulnerability in unprotected environments", "details": "In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service.\n\nPinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache Pinot"}, {"last_affected": "Apache Pinot"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread/3dk8pf1n02p8oj2j3czbtchyjsf8khwr"}]}