SQL Injection

com.vip.saturn, saturn-console is vulnerable to SQL injection. The vulnerability is due to SQL injection due to insufficient input validation in the /console/dashboard/executorCount?zkClusterKey component, allowing remote attackers to execute arbitrary code...

GHSA-49V8-P6MM-3PFJ Vipshop Saturn Console Vulnerable to SQL Injection via ClusterKey Component

SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component...

com.vip.saturn:saturn-console (>=3.0.0-M1 <=3.5.1), com.vip.saturn:saturn-it (>=3.0.0-M5 <=3.5.1) potentially affected by CVE-2025-29085 via com.vip.saturn:saturn-console-api (>=3.0.0-M1 <=3.5.1)

com.vip.saturn:saturn-console-api MAVEN version =3.0.0-M1, =3.0.0-M1, =3.0.0-M5, =3.5.1 Source cves: CVE-2025-29085 Source advisory: SNYK:JAVA-COMVIPSATURN-9749461...

com.vip.saturn:saturn-it (>=2.1.2 <=3.5.1) potentially affected by CVE-2025-29085 via com.vip.saturn:saturn-console (>=2.1.2 <=3.5.1)

com.vip.saturn:saturn-console MAVEN version =2.1.2, =2.1.2, =3.5.1 Source cves: CVE-2025-29085 Source advisory: OSV:GHSA-49V8-P6MM-3PFJ...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the zkClusterKey parameter, which is passed unescaped to an SQL query in executorCount. An attacker can execute arbitrary SQL commands by via the /console/dashboard/executorCount?zkClusterKey endpoint. Remediation Ther...