187 matches found
CVE-2024-29070 Apache StreamPark: session not invalidated after logout
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users...
Insecure Direct Object Reference (IDOR)
org.apache.streampark, streampark is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to insufficient access control due to improper handling of authorization tokens, allowing attackers to manually request and view all users' flink information, including executeSQL an...
Apache StreamPark 代码问题漏洞
Apache StreamPark is the United States Apache Apache Foundation of a streaming media application development framework. Apache StreamPark versions prior to 2.1.4 suffer from a session expiration insufficiency vulnerability, which stems from the fact that the session is not expired after logging...
CVE-2024-34457 Apache StreamPark IDOR Vulnerability
On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4...
CVE-2024-34457 Apache StreamPark IDOR Vulnerability
On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4...
Apache StreamPark 安全漏洞
Apache StreamPark is the United States Apache Apache Foundation of a streaming media application development framework. A privilege management error vulnerability exists in Apache StreamPark versions 1.0.0 through 2.1.4 and earlier, which can be exploited by an attacker to manually issue a reques...
Apache StreamPark Information Disclosure Vulnerability
Apache StreamPark is the United States Apache Apache Foundation of a streaming media application development framework. Apache StreamPark has an information disclosure vulnerability that can be exploited by attackers to obtain sensitive user information...
Apache StreamPark Command Injection Vulnerability (CNVD-2024-33576)
Apache StreamPark is the United States Apache Apache Foundation of a streaming media application development framework. A command injection vulnerability exists in Apache StreamPark versions prior to 2.0.0 to 2.1.4, which stems from poor validation of input parameters and can be exploited by an...
Apache StreamPark Code Injection Vulnerability
Apache StreamPark is the United States Apache Apache Foundation of a streaming media application development framework. A code injection vulnerability exists in Apache StreamPark versions prior to 2.1.4, which stems from a user being able to log in and perform a template injection attack. No...
Apache StreamPark Command Injection Vulnerability (CNVD-2024-33577)
Apache StreamPark is the United States Apache Apache Foundation of a streaming media application development framework. Apache StreamPark suffers from a command injection vulnerability that stems from lax input parameter validation. An authorized attacker with system-level privileges could exploi...
Template Injection
Apache StreamPark is vulnerable to template injection. The vulnerability is due to insufficient input validation that allows attacker to perform a template injection that potentially leads to execution of arbitrary code on server...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the template processing mechanism. An attacker can execute arbitrary code on the server by injecting malicious templates after successfully logging into the system. Remediation Upgrade...
GHSA-VV8H-M63V-53PQ Apache StreamPark: FreeMarker SSTI RCE Vulnerability
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4...
Apache StreamPark: FreeMarker SSTI RCE Vulnerability
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4...
CVE-2024-29178 Apache StreamPark: FreeMarker SSTI RCE Vulnerability
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4...
CVE-2024-29178 Apache StreamPark: FreeMarker SSTI RCE Vulnerability
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4...
Command Injection
org.apache.streampark:streampark is vulnerable to Command Injection. The vulnerability is caused due to insufficient input parameter validation, allowing attackers to insert commands. Exploiting this requires system-level access via user login, thereby limiting its risk due to controlled user...
Command Injection
org.apache.streampark:streampark is vulnerable to command injection due to insufficient input parameter validation, which allows attackers to insert malicious commands for execution. The risk level of this vulnerability is very low as it requires the user to log in with system-level permissions...
Apache StreamPark 代码注入漏洞
Apache StreamPark is the United States Apache Apache Foundation of a streaming media application development framework. A code injection vulnerability exists in Apache StreamPark versions prior to 2.1.4, which stems from a user being able to log in and perform a template injection attack. No...
GHSA-HCF8-5J78-887V Apache StreamPark: Information leakage vulnerability
In Streampark version 2.1.4, when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc. ...