Apache Pinot has recently disclosed a serious security vulnerability that could allow unauthorized actors to access sensitive system information, potentially leading to data leaks and security breaches.
The vulnerability, tracked as CVE-2024-39676, stems from an unauthorized access issue in Apache Pinot. Specifically, when a request is made to the “/appConfigs” path on the controller, it can inadvertently expose sensitive information.
This information could be leveraged by attackers to gain trove of information from a target’s infrastructure, potentially identifying further vulnerabilities or weak points to exploit. The vulnerability exists in Pinot versions 0.1 to 0.9.
The Apache Pinot team has addressed this vulnerability in version 1.0.0. The update introduces RBAC, enabling administrators to restrict access to sensitive endpoints and information.
All users of Apache Pinot are strongly urged to upgrade to version 1.0.0 immediately. After upgrading, administrators should configure RBAC to ensure that only authorized users can access sensitive endpoints like “/appConfigs.”
Organizations relying on Pinot for real-time analytics are particularly at risk, as their sensitive data and system configurations could be exposed.
