Improper Neutralization of Special Elements

CVE-2024-56325

High

9.8/10

Summary

An Improper Neutralization of Special Elements Authentication Bypass vulnerability has been identified in Apache Pinot. This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability. The specific flaw exists within the "AuthenticationFilter" class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system. This flaw affects Apache Pinot Broker versions 0.12.0 through 1.2.0 and Apache Pinot Controller versions 0.7.0 through 1.2.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-138 - Improper Neutralization of Special Elements

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component.

References

Advisory Timeline

Published Mar 03, 2025

Improper Neutralization of Special Elements

CVE-2024-56325

Summary

CWE-138 - Improper Neutralization of Special Elements

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS