GHSA-qj9p-jvmw-82rh

Source

https://github.com/advisories/GHSA-qj9p-jvmw-82rh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-qj9p-jvmw-82rh/GHSA-qj9p-jvmw-82rh.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-qj9p-jvmw-82rh

Aliases

CVE-2022-26112

Published

2022-09-25T00:00:26Z

Modified

2025-05-28T19:59:02.479880Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Pinot has Groovy Function support enabled by default

Details

Pinot allows you to run any function using Apache Groovy scripts. In versions prior to 0.10.0, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to groovy function support being enabled by default. This issue has been fixed by making function support disabled by default, in version 0.11.0. A potential workaround is to disable groovy script support.

Database specific

{
    "github_reviewed_at": "2022-09-29T14:37:12Z",
    "severity": "CRITICAL",
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2022-09-23T08:15:00Z"
}

References

Affected packages

Maven / org.apache.pinot:pinot

Package

Name: org.apache.pinot:pinot; View open source insights on deps.dev
Purl: pkg:maven/org.apache.pinot/pinot

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.11.0

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0

0.6.0

0.7.0

0.7.1

0.8.0

0.9.0

0.9.1

0.9.2

0.9.3

0.10.0