CVE-2022-46365

2023-05-0115:15:09

CWE-20

[email protected]

web.nvd.nist.gov

cve

apache streampark

security vulnerability

user profile modification

nvd

upgrade

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9.1 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.8%

JSON

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

Affected configurations

Vulners

NVD

Node

apachestreamparkRange≤2.0.0

CPENameOperatorVersion
apache:streamparkapache streamparklt2.0.0

CPE	Name	Operator	Version
apache:streampark	apache streampark	lt	2.0.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache StreamPark (incubating)",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "1.0.0",
        "versionType": "custom"
      }
    ]
  }
]