Apache Pinot Vulnerability Let Attackers Bypass Authentication

With 78% of data breaches originating from authentication bypass flaws according to IBM’s 2025 Threat Intelligence Index, this vulnerability serves as a critical reminder to prioritize input validation in distributed architectures. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. Apache resolved the vulnerability in Pinot 1.3.0 through improved URI normalization using Java’s URI.normalize() method combined with regex-based path validation. Attackers can craft HTTP requests containing specially encoded sequences like %2e%2e/ or null-byte injections to bypass path normalization checks. Security analysts confirm this creates a direct pathway for remote code execution (RCE) through malicious query injections. Trend Micro’s Zero Day Initiative (ZDI), which tracked the flaw as ZDI-CAN-24001, confirms exploit code requires only basic HTTP manipulation skills. Rated 9.8 on the CVSS v3 scale – the maximum severity score – this flaw exposes organizations to data exfiltration, privilege escalation, and infrastructure compromise. She is covering various cyber security incidents happening in the Cyber Space. It mirrors recent vulnerabilities in Elasticsearch (CVE-2024-35253) and MongoDB Atlas (CVE-2024-48721), underscoring the need for runtime CVE monitoring in distributed systems. Apache Pinot’s architecture – designed for low-latency queries across petabyte-scale datasets – makes compromised instances high-value targets.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 12 Mar 2025 00:25:17 +0000

Cyber News related to Apache Pinot Vulnerability Let Attackers Bypass Authentication

Apache Pinot Vulnerability Let Remote Attackers Bypass Authentication - The Pinot vulnerability follows similar authentication bypass flaws in Elasticsearch (CVE-2024-35253) and MongoDB Atlas (CVE-2024-48721) disclosed earlier this year, suggesting industry-wide patterns in URI validation weaknesses. Cyber Security News ...
5 days ago Cybersecuritynews.com CVE-2024-35253

CVE-2022-23974 - In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to ...
2 years ago

CVE-2022-38649 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Apache Airflow Pinot Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without ...
1 year ago

CVE-2024-39676 - Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Pinot. ...
5 months ago

Apache Pinot Vulnerability Let Attackers Bypass Authentication - With 78% of data breaches originating from authentication bypass flaws according to IBM’s 2025 Threat Intelligence Index, this vulnerability serves as a critical reminder to prioritize input validation in distributed architectures. Cyber Security ...
8 hours ago Cybersecuritynews.com CVE-2024-35253

CVE-2022-26112 - In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. In order to avoid this, we disabled the groovy function support by ...
2 years ago

Passwordless Login: Effortless Authentication - Let's explore how passwordless login paves the way for seamless and secure user authentication, fostering trust and loyalty. The Password Dilemma Though conventional complex password-based authentication has long been a cornerstone of robust ...
1 year ago Feeds.dzone.com

What Is Kerberos Authentication?: Implementing Effective Security Protocols - Kerberos is a vital security protocol that any serious computer user must be familiar with. It is an open standard that provides a secure way of verifying the identity of user across multiple systems. The Kerberos authentication protocol is a ...
2 years ago Heimdalsecurity.com

How to Use Context-Based Authentication to Improve Security - One of the biggest security weak points for organizations involves their authentication processes. Context-based authentication offers an important tool in the battle against credential stuffing, man-in-the-middle attacks, MFA prompt bombing, and ...
1 year ago Securityboulevard.com

Top 10 Best Passwordless Authentication Tools in 2025 - Auth0 provides a flexible authentication and authorization platform that supports passwordless login methods, enhancing security and user experience by eliminating the need for traditional passwords. Okta provides a robust identity and access ...
1 day ago Cybersecuritynews.com

CVE-2023-39913 - Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. ...
3 weeks ago

Apache OFBiz RCE flaw exploited to find vulnerable Confluence servers - A critical Apache OFBiz pre-authentication remote code execution vulnerability is being actively exploited using public proof of concept exploits. Apache OFBiz is an open-source enterprise resource planning system many businesses use for e-commerce ...
1 year ago Bleepingcomputer.com CVE-2023-49070 CVE-2023-51467

Biometric Authentication in Business: Enhancing Security - With its high level of security, convenience, user-friendliness, and accuracy, biometric authentication is paving the way for the future of secure authentication in the business world. One of the primary advantages of implementing biometric ...
1 year ago Securityzap.com

Selecting an Authentication Protocol for Your Business - Authentication protocols serve as the backbone of online security, enabling users to confirm their identities securely and access protected information and services. The protocols exchange information to verify the validity of the authentication ...
10 months ago Darkreading.com

Patch Now: Exploit Activity Mounts for Dangerous Apache Struts 2 Bug - Concerns are high over a critical, recently disclosed remote code execution vulnerability in Apache Struts 2 that attackers have been actively exploiting over the past few days. Apache Struts is a widely used open source framework for building Java ...
1 year ago Darkreading.com CVE-2023-50164

The Threat That Can't Be Ignored: CVE-2023-46604 in Apache ActiveMQ - There is another vulnerability that demands immediate attention, despite not receiving the level of recognition it truly deserves in the media. Apache ActiveMQ vulnerability, known as CVE-2023-46604, is a Remote Code Execution flaw rated at a ...
11 months ago Cybersecurity-insiders.com CVE-2023-46604 Andariel

Apache OFBiz 0-day sees thousands of daily exploit attempts The Register - SonicWall says it has observed thousands of daily attempts to exploit an Apache OFBiz zero-day for nearly a fortnight. The near-maximum severity zero-day vuln in OfBiz, an open source ERP system with what researchers described as a surprisingly wide ...
1 year ago Go.theregister.com CVE-2023-51467 CVE-2023-49070

Apache OFBiz 0-day sees thousands of daily exploit attempts The Register - SonicWall says it has observed thousands of daily attempts to exploit an Apache OFBiz zero-day for nearly a fortnight. The near-maximum severity zero-day vuln in OFBiz, an open source ERP system with what researchers described as a surprisingly wide ...
1 year ago Packetstormsecurity.com CVE-2023-51467 CVE-2023-49070

Real-Time Data Warehousing Based on Apache Doris - This is a whole-journey guide for Apache Doris users, especially those from the financial sector, which requires a high level of data security and availability. If you don't know how to build a real-time data pipeline and make the most of the Apache ...
1 year ago Feeds.dzone.com

Biometric Authentication: Advancements and Challenges - Advancements in technology are driving the world of biometric authentication into a realm where one's very being serves as the key to accessing secure systems. The Evolution of Biometric Technology has significantly transformed the landscape of ...
1 year ago Securityzap.com

Critical Apache OFBiz Zero-day Flaw Exploited in the Wild - Researchers uncovered a critical authentication bypass zero-day flaw tracked as CVE-2023-51467, with a CVSS score of 9.8 affecting Apache OFBiz's open-source enterprise resource planning system. The vulnerability allows attackers to bypass simple ...
1 year ago Cybersecuritynews.com CVE-2023-51467 CVE-2023-49070

TellYouThePass ransomware joins Apache ActiveMQ RCE attacks - Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution vulnerability previously exploited as a zero-day. The flaw, tracked as CVE-2023-46604, is a maximum severity ...
1 year ago Bleepingcomputer.com CVE-2023-46604

1,718,000+ Apache Struts 2 Installation Open to RCE Attacks - Threat actors target Apache Struts 2 due to vulnerabilities in its code that can be exploited for unauthorized access to web applications. Exploiting these vulnerabilities allows attackers to execute arbitrary code that could lead to full system ...
1 year ago Cybersecuritynews.com CVE-2023-50164

Barracuda ESG, Apache OfBiz Vulnerabilities Persist - While the number of reported vulnerabilities sometimes decrease over the Christmas and New Year's holidays, active and potential exploits are no less threatening. During the past couple weeks, Google has seen multiple vulnerabilities, including a ...
1 year ago Esecurityplanet.com CVE-2023-7101 CVE-2023-51467 CVE-2023-49070

CVE-2021-41129 - Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not ...
1 year ago