Lucene search

GoogleOSV:GHSA-6523-JF4R-C962

HistoryJul 17, 2024 - 12:31 p.m.

Apache StreamPipes has potential remote code execution (RCE) via file upload

2024-07-1712:31:11

Google

osv.dev

apache streampipes

remote code execution

file upload

vulnerability

authenticated users

version 0.95.0

software

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

39.9%

JSON

Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes.
Such a dangerous type might be an executable file that may lead to a remote code execution (RCE).
The unrestricted upload is only possible for authenticated and authorized users.

This issue affects Apache StreamPipes: through 0.93.0.

Users are recommended to upgrade to version 0.95.0, which fixes the issue.

References

github.com/apache/streampipes

github.com/apache/streampipes/releases/tag/release%2F0.95.0

lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt

nvd.nist.gov/vuln/detail/CVE-2024-31411

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

39.9%

JSON

Related for OSV:GHSA-6523-JF4R-C962