org.apache.pinot:pinot-compatibility-verifier (=0.10.0), org.apache.pinot:pinot-distribution (>=0.1.0 <=0.10.0) +7 more potentially affected by CVE-2024-56325 via org.apache.pinot:pinot-controller (>=0.10.0 <=1.2.0)

org.apache.pinot:pinot-controller MAVEN version =0.10.0, =0.1.0, =0.11.0, =0.9.0, =0.1.0, =0.8.0, =0.8.0, =0.1.0, =0.1.0, =0.10.0 Source cves: CVE-2024-56325 Source advisory: OSV:GHSA-6JWP-4WVJ-6597...

org.apache.pinot:pinot-flink-connector (>=1.0.0 <=1.2.0), org.apache.pinot:pinot-minion-builtin-tasks (>=1.0.0 <=1.2.0) +1 more potentially affected by CVE-2024-56325 via org.apache.pinot:pinot-controller (>=1.0.0 <=1.2.0)

org.apache.pinot:pinot-controller MAVEN version =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.2.0 Source cves: CVE-2024-56325 Source advisory: SNYK:JAVA-ORGAPACHEPINOT-9637840...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to improper handling of specific path conditions in the authentication process, where the path does not contain / and contains .. An attacker can gain unauthorized access and...

MAL-2025-1493 Malicious code in pinot-controller-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 83ea1a5f03364deddf9525a13146b4cf1bece3baf1ce56a10c1ea5e424f6aeb3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in pinot-controller-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 83ea1a5f03364deddf9525a13146b4cf1bece3baf1ce56a10c1ea5e424f6aeb3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

org.apache.pinot:pinot-compatibility-verifier (=0.10.0), org.apache.pinot:pinot-distribution (>=0.1.0 <=0.10.0) +7 more potentially affected by CVE-2024-39676 via org.apache.pinot:pinot-controller (>=0.10.0 <=0.9.3)

org.apache.pinot:pinot-controller MAVEN version =0.10.0, =0.1.0, =0.11.0, =0.9.0, =0.1.0, =0.8.0, =0.8.0, =0.1.0, =0.1.0, =0.10.0 Source cves: CVE-2024-39676 Source advisory: OSV:GHSA-8GJ9-R4HV-3JJW...

Privilege Escalation

pinot-controller is vulnerable to privilege escalation. The vulnerability exists because the isDisableIngestionGroovy function of ControllerConf.java does not properly disable groovy functionality by default allowing an attacker to modify table-level config or broker/controller config to turn it ...