Merge pull request #683 from joernNNN:pinot-cve-2024-56325

copybara-github · copybara-github · commit a639e91127de · 2025-10-08T04:37:53.000-07:00
PiperOrigin-RevId: 816646580
Change-Id: Ifac2ae473dd3f3f41d498c480d96878ab584b1b2
diff --git a/templated/templateddetector/plugins/cve/2024/ApachePinot_CVE_2024_56325.textproto b/templated/templateddetector/plugins/cve/2024/ApachePinot_CVE_2024_56325.textproto
@@ -0,0 +1,78 @@
+# proto-file: proto/templated_plugin.proto
+# proto-message: TemplatedPlugin
+
+###############
+# PLUGIN INFO #
+###############
+
+info: {
+  type: VULN_DETECTION
+  name: "ApachePinot_CVE_2024_56325"
+  author: "Joern w"
+  version: "1.0"
+}
+
+finding: {
+  main_id: {
+    publisher: "GOOGLE"
+    value: "APACHEPINOT_CVE_2024_56325"
+  }
+  severity: HIGH
+  title: "ApachePinot is vulnerable to Authentication Bypass"
+  description: "The instance of ApachePinot is vulnerable Authentication Bypass. This allows to create a new user which can run pinot SQL queries."
+  recommendation: "Update to version 1.4.0 or higher."
+  related_id: {
+    publisher: "CVE"
+    value: "CVE-2024-56325"
+  }
+}
+
+config: {}
+
+###########
+# ACTIONS #
+###########
+
+actions: {
+  name: "fingerprint_pinot"
+  http_request: {
+    method: GET
+    uri: "/"
+    response: {
+      http_status: 200
+      expect_all: {
+        conditions: [
+          { body: {} contains: '<title>Apache Pinot</title>' },
+          { body: {} contains: "<meta name=\"description\" content=\"Pinot Controller UI\">" }
+        ]
+      }
+    }
+  }
+}
+
+actions: {
+  name: "check_auth_bypass"
+  http_request: {
+    method: GET
+    uri: "/tables;."
+    response: {
+      http_status: 200
+      expect_all: {
+        conditions: [
+          { body: {} contains: '{"tables":[]}' }
+        ]
+      }
+    }
+  }
+}
+
+#############
+# WORKFLOWS #
+#############
+
+workflows: {
+  actions: [
+    "fingerprint_pinot",
+    "check_auth_bypass"
+  ]
+}
diff --git a/templated/templateddetector/plugins/cve/2024/ApachePinot_CVE_2024_56325_test.textproto b/templated/templateddetector/plugins/cve/2024/ApachePinot_CVE_2024_56325_test.textproto
@@ -0,0 +1,62 @@
+# proto-file: proto/templated_plugin_tests.proto
+# proto-message: TemplatedPluginTests
+
+config: {
+  tested_plugin: "ApachePinot_CVE_2024_56325"
+  disabled: false
+}
+
+tests: {
+  name: "whenVulnerable_returnsTrue"
+  expect_vulnerability: true
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/"
+        status: 200
+        body_content: '<title>Apache Pinot</title> <meta name="description" content="Pinot Controller UI">'
+      },
+      {
+          uri: "/tables;."
+              status: 200
+              body_content: '{"tables":[]}'
+      }
+    ]
+  }
+}
+
+tests: {
+  name: "whenNotVulnerable_returnsFalse"
+  expect_vulnerability: false
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/"
+        status: 200
+        body_content: '<title>Apache Pinot</title> <metaname="description" content="Pinot Controller UI">'
+      },
+      {
+        uri: "/tables\\;."
+        status: 403
+        body_content: '{"code":401,"error":"HTTP 401 Unauthorized"}'
+      }
+    ]
+  }
+}
+
+tests: {
+  name: "whenNotApachePinot_returnsFalse"
+  expect_vulnerability: false
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "TSUNAMI_MAGIC_ANY_URI"
+        status: 200
+        body_content: "Login to your Drupal account"
+      }
+    ]
+  }
+}
