Lucene search
K
ApacheStreampark

17 matches found

CVE
CVE
added 2023/12/15 12:13 p.m.91 views

CVE-2023-49898

CVE-2023-49898 concerns Apache StreamPark: a project module that integrates Maven compilation lacks validation of Maven parameters, allowing remote command execution. The advisory notes that an attacker must be an authenticated system user with high privileges, limiting exposure, and that the ove...

7.2CVSS7.1AI score0.02299EPSS
CVE
CVE
added 2024/07/17 8:16 a.m.73 views

CVE-2023-52291

CVE-2023-52291 concerns Apache StreamPark. The vulnerability stems from lax validation of maven build parameters in the StreamPark project module, allowing command injection when the input parameter < is used (for example, < (curl http://xxx.com)). An attack requires the user to be logged i...

8.8CVSS5.2AI score0.01607EPSS
CVE
CVE
added 2024/07/17 2:59 p.m.70 views

CVE-2024-29120

CVE-2024-29120 affects Apache StreamPark, specifically versions prior to 2.1.4. The Backend service returns the user’s session as the front-end authentication credential upon successful login, enabling a user to request other users’ information (including administrator usernames, passwords, and s...

5.9CVSS5.6AI score0.00282EPSS
CVE
CVE
added 2023/12/15 12:14 p.m.69 views

CVE-2023-30867

CVE-2023-30867 (Apache StreamPark) : The vulnerability arises in the StreamPark platform’s name-based fuzzy search (e.g., jobName or roleName) where input used in a LIKE '%…%' clause is not validated, enabling SQL injection. Multiple sources (NVD, Red Hat, CNVD, Veracode, OSV, GHSA, CVE list) con...

4.9CVSS5.4AI score0.00852EPSS
CVE
CVE
added 2024/07/22 9:48 a.m.68 views

CVE-2024-34457

CVE-2024-34457 affects Apache StreamPark versions prior to 2.1.4. After a regular user logs in, an attacker can manually issue a request with a valid authorization token to view all users’ flink information, including sensitive fields like executeSQL and config . Root cause described as a privile...

6.5CVSS6.4AI score0.00728EPSS
CVE
CVE
added 2024/07/17 8:21 a.m.65 views

CVE-2024-29737

CVE-2024-29737 concerns a command-injection flaw in Apache StreamPark (Project module). The vulnerability arises from lax validation of build parameters in the Maven integration, allowing an authenticated user with system-level permissions to inject commands via the Build Argument (demonstrated b...

8.8CVSS5.2AI score0.01117EPSS
CVE
CVE
added 2024/07/16 7:37 a.m.59 views

CVE-2023-52290

CVE-2023-52290 affects Apache StreamPark’s streampark-console prior to version 2.1.4. The vulnerability arises from unvalidated sort field input used to build SQL queries in list pages (e.g., application pages), enabling SQL injection after an authenticated user logs in. Impact is described as da...

8.1CVSS8.4AI score0.00639EPSS
CVE
CVE
added 2023/05/01 2:4 p.m.57 views

CVE-2022-45802

CVE-2022-45802 (Apache StreamPark) : The vulnerability stems from a lack of mandatory verification of uploaded files when users submit jars as applications, which can permit uploading high-risk files and potentially placing them in arbitrary directories. This aligns with reported path traversal c...

9.8CVSS9.5AI score0.01308EPSS
CVE
CVE
added 2024/07/23 8:13 a.m.56 views

CVE-2024-29070

CVE-2024-29070 affects Apache StreamPark where versions prior to 2.1.4 fail to invalidate sessions after logout. The root cause is improper session management: after a successful login, the Backend service returns an Authorization credential that remains usable to initiate requests and access dat...

9.1CVSS6.7AI score0.00788EPSS
CVE
CVE
added 2023/05/01 2:50 p.m.55 views

CVE-2022-45801

CVE-2022-45801 concerns Apache StreamPark versions 1.0.0–2.0.0 with an LDAP injection vulnerability. The issue arises when user input is not properly sanitized, allowing LDAP statements to be modified similarly to SQL Injection. Documented impact includes potential unauthorized access permissions...

5.4CVSS6.1AI score0.01103EPSS
CVE
CVE
added 2024/07/18 11:15 a.m.46 views

CVE-2024-29178

Apache StreamPark before version 2.1.4 is affected by a FreeMarker SSTI vulnerability that an authenticated user can exploit to achieve Remote Code Execution on the server. Root cause: template injection via FreeMarker in the application, with high impact (CVE-2024-29178). Remediation: upgrade to...

8.8CVSS9AI score0.01239EPSS
CVE
CVE
added 2023/05/01 2:53 p.m.42 views

CVE-2022-46365

CVE-2022-46365 affects Apache StreamPark 1.0.0 before 2.0.0. The issue is an improper username verification when a user modifies their profile: the username is passed to the server without confirming the user is the currently logged-in one. This can allow an attacker to supply any username to mod...

9.1CVSS9.2AI score0.01475EPSS
CVE
CVE
added 2025/08/22 6:24 p.m.27 views

CVE-2024-48988

CVE-2024-48988 (Apache StreamPark): SQL injection vulnerability affecting StreamPark 2.1.4 through 2.1.5 (and 2.1.6 pre-release window) in the SpringBoot distribution package. Root cause: lack of validation of externally supplied SQL statements, enabling manipulation after user login. Impact: cou...

7.6CVSS7.5AI score0.00558EPSS
CVE
CVE
added 2025/12/12 3:15 p.m.18 views

CVE-2025-53960

Apache StreamPark (affected: 2.0.0–2.1.7) suffers from a vulnerability where JWTs are signed using the user’s password as the HMAC secret (HS256). This directly exposes passwords to offline brute-forcing via captured tokens and can allow forging of identity tokens if the password is known, potent...

5.9CVSS6.5AI score0.00216EPSS
CVE
CVE
added 2025/12/12 3:10 p.m.16 views

CVE-2025-54981

CVE-2025-54981 affects Apache StreamPark prior to 2.1.7, due to use of AES in ECB mode and a weak RNG for encrypting sensitive data such as JWT tokens. This weak encryption could lead to exposure of confidential data. The vulnerability is documented across multiple sources (NVD, Red Hat, OSV, CNV...

7.5CVSS6.7AI score0.00216EPSS
CVE
CVE
added 2025/10/10 9:52 a.m.15 views

CVE-2025-30001

Apache StreamPark has a vulnerability described as an Incorrect Execution-Assigned Permissions issue that, in versions 2.1.4 up to but not including 2.1.6, can allow authenticated users to trigger remote command execution. PT-security and multiple CVE references converge on this issue, noting tha...

7.3CVSS6.6AI score0.00506EPSS
CVE
CVE
added 2025/12/12 3:11 p.m.13 views

CVE-2025-54947

Apache StreamPark versions 2.0.0–2.1.7 contain a hard-coded, immutable encryption key, enabling potential decryption/ forgery of encrypted data and unauthorized access. The issue arises from using a fixed key instead of a dynamically generated or securely configured one. Upgrade to 2.1.7 is recom...

9.8CVSS6.2AI score0.00448EPSS