CVE-2022-23974

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-23974
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23974.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-23974
Aliases
Published
2022-04-05T19:55:08Z
Modified
2026-05-28T04:04:28.374973612Z
Summary
Pinot segment push endpoint has a vulnerability in unprotected environments
Details

In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cause disruption in pinot service. Pinot release 0.10.0 fixes this. See https://docs.pinot.apache.org/basics/releases/0.10.0

Database specific 
{
    "cwe_ids": [
        "CWE-674"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "Apache Pinot"
                },
                {
                    "last_affected": "0.9.3"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "apache",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/23xxx/CVE-2022-23974.json"
}
References

Affected packages

Git / github.com/apache/pinot

Affected ranges

Type
GIT
Repo
https://github.com/apache/pinot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
30c4635bfeee88f88aa9c9f63b93bcd4a650607f
Database specific 
{
    "cpe": "cpe:2.3:a:apache:pinot:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.10.0"
        }
    ],
    "source": "CPE_RANGE"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23974.json"