Apache Pinot has Groovy Function support enabled by default
Critical severity
GitHub Reviewed
Published
Sep 25, 2022
to the GitHub Advisory Database
•
Updated Jan 28, 2023
Description
Published by the National Vulnerability Database
Sep 23, 2022
Published to the GitHub Advisory Database
Sep 25, 2022
Reviewed
Sep 29, 2022
Last updated
Jan 28, 2023
Pinot allows you to run any function using Apache Groovy scripts. In versions prior to 0.10.0, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to groovy function support being enabled by default. This issue has been fixed by making function support disabled by default, in version 0.11.0. A potential workaround is to disable groovy script support.
References