CVE-2022-26112

{"id": "CVE-2022-26112", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-09-23T08:15:08.780", "references": [{"url": "https://lists.apache.org/thread/4pb0r12s2b68d78llk04yd8rh3qk5t9h", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In 0.10.0 or older versions of Apache Pinot, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to a groovy function support. In order to avoid this, we disabled the groovy function support by default from Pinot release 0.11.0. See https://docs.pinot.apache.org/basics/releases/0.11.0"}, {"lang": "es", "value": "En versi\u00f3n 0.10.0 o en versiones anteriores de Apache Pinot, el punto final de consulta de Pinot y la capa de ingesti\u00f3n en tiempo real presentan una vulnerabilidad en entornos no protegidos debido al soporte de una funci\u00f3n groovy. Para evitar esto, hemos deshabilitado el soporte de la funci\u00f3n groovy por defecto desde la versi\u00f3n 0.11.0 de Pinot. V\u00e9ase https://docs.pinot.apache.org/basics/releases/0.11.0"}], "lastModified": "2022-09-26T17:22:02.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:pinot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02C00685-B434-4A02-AADF-0D15F9E331DA", "versionEndExcluding": "0.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}