Apache Pinot Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in Apache Pinot versions prior to 1.3. The issue arises when the request path does not contain a forward slash and includes a period, allowing authentication to be bypassed. This vulnerability enables the addition of new users without authentication, granting control over the Pinot instance.

Impact

Exploitation of this vulnerability allows for unauthorized user creation, bypassing authentication mechanisms and potentially leading to unauthorized control over the Apache Pinot application.

Reproduction

To reproduce this vulnerability, send a POST request to the '/users' endpoint on the Pinot server (port 9000) with a JSON payload that includes a username, password, component, role, and other specified fields. If the request path is crafted to exclude a forward slash and include a period, the server will respond with a success message, indicating that authentication was bypassed and a new user was created.

Remediation

Users are advised to update to Apache Pinot version 1.3 or later, where this vulnerability has been addressed.