CVE-2022-26112 — Apache Pinot has Groovy Function support enabled by default

Description

Pinot allows you to run any function using Apache Groovy scripts. In versions prior to 0.10.0, Pinot query endpoint and realtime ingestion layer has a vulnerability in unprotected environments due to groovy function support being enabled by default. This issue has been fixed by making function support disabled by default, in version 0.11.0. A potential workaround is to disable groovy script support.

How to fix CVE-2022-26112

To remediate CVE-2022-26112, upgrade the affected package to a fixed version below.

—upgrade to 0.11.0 or later

Is CVE-2022-26112 being exploited?

Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.11.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-26112
PATCHgithub.com/apache/pinot
WEBdocs.pinot.apache.org/basics/releases/0.11.0
WEBgithub.com/apache/pinot/pull/8711
WEBlists.apache.org