Lucene search

ApacheCVELIST:CVE-2022-45802

HistoryMay 01, 2023 - 2:04 p.m.

CVE-2022-45802 Apache StreamPark (incubating): Upload any file to any directory

2023-05-0114:04:57

CWE-434

apache

www.cve.org

cve-2022-45802

apache streampark

unauthorized file uploads

directory traversal

upgrade necessary

AI Score

9.7

Confidence

High

EPSS

0.005

Percentile

77.7%

JSON

Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache StreamPark (incubating)",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.0.0",
        "status": "affected",
        "version": "1.0.0",
        "versionType": "custom"
      }
    ]
  }
]

References

lists.apache.org/thread/thwl1v2h6r3c21x1qwff08o57qzjnst6