Lucene search

GitHub Advisory DatabaseGHSA-6523-JF4R-C962

HistoryJul 17, 2024 - 12:31 p.m.

Apache StreamPipes has potential remote code execution (RCE) via file upload

2024-07-1712:31:11

CWE-434

GitHub Advisory Database

github.com

apache streampipes

rce

file upload

vulnerability

upgrade

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

39.9%

JSON

Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes.
Such a dangerous type might be an executable file that may lead to a remote code execution (RCE).
The unrestricted upload is only possible for authenticated and authorized users.

This issue affects Apache StreamPipes: through 0.93.0.

Users are recommended to upgrade to version 0.95.0, which fixes the issue.

Affected configurations

Vulners

Node

org.apache.streampipes\streampipesMatchparent

VendorProductVersionCPE
org.apache.streampipes\streampipesparentcpe:2.3:a:org.apache.streampipes\:streampipes:parent:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.streampipes\	streampipes	parent	cpe:2.3:a:org.apache.streampipes\:streampipes:parent::::::::

References

github.com/advisories/GHSA-6523-jf4r-c962

github.com/apache/streampipes/releases/tag/release%2F0.95.0

lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt

nvd.nist.gov/vuln/detail/CVE-2024-31411

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

39.9%

JSON

Related for GHSA-6523-JF4R-C962