Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/org.apache.pinot/pinot@0.11.0 |
|---|
| Type | maven |
|---|
| Namespace | org.apache.pinot |
|---|
| Name | pinot |
|---|
| Version | 0.11.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 1.3.0 |
|---|
| Latest_non_vulnerable_version | 1.3.0 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-bz18-zy1s-4bbn |
| vulnerability_id |
VCID-bz18-zy1s-4bbn |
| summary |
Apache Pinot Vulnerable to Authentication Bypass
Authentication Bypass Issue
If the path does not contain / and contain., authentication is not required.
Expected Normal Request and Response Example |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-56325 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.17409 |
| scoring_system |
epss |
| scoring_elements |
0.95198 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.17409 |
| scoring_system |
epss |
| scoring_elements |
0.95203 |
| published_at |
2026-06-09T12:55:00Z |
|
| 2 |
| value |
0.17409 |
| scoring_system |
epss |
| scoring_elements |
0.952 |
| published_at |
2026-06-08T12:55:00Z |
|
| 3 |
| value |
0.17409 |
| scoring_system |
epss |
| scoring_elements |
0.95201 |
| published_at |
2026-06-07T12:55:00Z |
|
| 4 |
| value |
0.17409 |
| scoring_system |
epss |
| scoring_elements |
0.95199 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-56325 |
|
| 1 |
| reference_url |
https://github.com/apache/pinot |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/pinot |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-56325, GHSA-6jwp-4wvj-6597
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bz18-zy1s-4bbn |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-h71c-m8zg-jfhx |
| vulnerability_id |
VCID-h71c-m8zg-jfhx |
| summary |
Apache Pinot has Groovy Function support enabled by default
Pinot allows you to run any function using Apache Groovy scripts. In versions prior to 0.10.0, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to groovy function support being enabled by default. This issue has been fixed by making function support disabled by default, in version 0.11.0. A potential workaround is to disable groovy script support. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-26112 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01863 |
| scoring_system |
epss |
| scoring_elements |
0.83415 |
| published_at |
2026-06-04T12:55:00Z |
|
| 1 |
| value |
0.01863 |
| scoring_system |
epss |
| scoring_elements |
0.83443 |
| published_at |
2026-06-09T12:55:00Z |
|
| 2 |
| value |
0.01863 |
| scoring_system |
epss |
| scoring_elements |
0.83429 |
| published_at |
2026-06-08T12:55:00Z |
|
| 3 |
| value |
0.01863 |
| scoring_system |
epss |
| scoring_elements |
0.83436 |
| published_at |
2026-06-07T12:55:00Z |
|
| 4 |
| value |
0.01863 |
| scoring_system |
epss |
| scoring_elements |
0.8344 |
| published_at |
2026-06-06T12:55:00Z |
|
| 5 |
| value |
0.01863 |
| scoring_system |
epss |
| scoring_elements |
0.83439 |
| published_at |
2026-06-05T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-26112 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-26112, GHSA-qj9p-jvmw-82rh
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h71c-m8zg-jfhx |
|
|
|---|
| Risk_score | 4.5 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.pinot/pinot@0.11.0 |
|---|