17 matches found
CVE-2023-49898
CVE-2023-49898 concerns Apache StreamPark: a project module that integrates Maven compilation lacks validation of Maven parameters, allowing remote command execution. The advisory notes that an attacker must be an authenticated system user with high privileges, limiting exposure, and that the ove...
CVE-2023-52291
CVE-2023-52291 concerns Apache StreamPark. The vulnerability stems from lax validation of maven build parameters in the StreamPark project module, allowing command injection when the input parameter < is used (for example, < (curl http://xxx.com)). An attack requires the user to be logged i...
CVE-2024-29120
CVE-2024-29120 affects Apache StreamPark, specifically versions prior to 2.1.4. The Backend service returns the user’s session as the front-end authentication credential upon successful login, enabling a user to request other users’ information (including administrator usernames, passwords, and s...
CVE-2023-30867
CVE-2023-30867 (Apache StreamPark) : The vulnerability arises in the StreamPark platform’s name-based fuzzy search (e.g., jobName or roleName) where input used in a LIKE '%…%' clause is not validated, enabling SQL injection. Multiple sources (NVD, Red Hat, CNVD, Veracode, OSV, GHSA, CVE list) con...
CVE-2024-34457
CVE-2024-34457 affects Apache StreamPark versions prior to 2.1.4. After a regular user logs in, an attacker can manually issue a request with a valid authorization token to view all users’ flink information, including sensitive fields like executeSQL and config . Root cause described as a privile...
CVE-2024-29737
CVE-2024-29737 concerns a command-injection flaw in Apache StreamPark (Project module). The vulnerability arises from lax validation of build parameters in the Maven integration, allowing an authenticated user with system-level permissions to inject commands via the Build Argument (demonstrated b...
CVE-2023-52290
CVE-2023-52290 affects Apache StreamPark’s streampark-console prior to version 2.1.4. The vulnerability arises from unvalidated sort field input used to build SQL queries in list pages (e.g., application pages), enabling SQL injection after an authenticated user logs in. Impact is described as da...
CVE-2022-45802
CVE-2022-45802 (Apache StreamPark) : The vulnerability stems from a lack of mandatory verification of uploaded files when users submit jars as applications, which can permit uploading high-risk files and potentially placing them in arbitrary directories. This aligns with reported path traversal c...
CVE-2024-29070
CVE-2024-29070 affects Apache StreamPark where versions prior to 2.1.4 fail to invalidate sessions after logout. The root cause is improper session management: after a successful login, the Backend service returns an Authorization credential that remains usable to initiate requests and access dat...
CVE-2022-45801
CVE-2022-45801 concerns Apache StreamPark versions 1.0.0–2.0.0 with an LDAP injection vulnerability. The issue arises when user input is not properly sanitized, allowing LDAP statements to be modified similarly to SQL Injection. Documented impact includes potential unauthorized access permissions...
CVE-2024-29178
Apache StreamPark before version 2.1.4 is affected by a FreeMarker SSTI vulnerability that an authenticated user can exploit to achieve Remote Code Execution on the server. Root cause: template injection via FreeMarker in the application, with high impact (CVE-2024-29178). Remediation: upgrade to...
CVE-2022-46365
CVE-2022-46365 affects Apache StreamPark 1.0.0 before 2.0.0. The issue is an improper username verification when a user modifies their profile: the username is passed to the server without confirming the user is the currently logged-in one. This can allow an attacker to supply any username to mod...
CVE-2024-48988
CVE-2024-48988 (Apache StreamPark): SQL injection vulnerability affecting StreamPark 2.1.4 through 2.1.5 (and 2.1.6 pre-release window) in the SpringBoot distribution package. Root cause: lack of validation of externally supplied SQL statements, enabling manipulation after user login. Impact: cou...
CVE-2025-53960
Apache StreamPark (affected: 2.0.0–2.1.7) suffers from a vulnerability where JWTs are signed using the user’s password as the HMAC secret (HS256). This directly exposes passwords to offline brute-forcing via captured tokens and can allow forging of identity tokens if the password is known, potent...
CVE-2025-54981
CVE-2025-54981 affects Apache StreamPark prior to 2.1.7, due to use of AES in ECB mode and a weak RNG for encrypting sensitive data such as JWT tokens. This weak encryption could lead to exposure of confidential data. The vulnerability is documented across multiple sources (NVD, Red Hat, OSV, CNV...
CVE-2025-30001
Apache StreamPark has a vulnerability described as an Incorrect Execution-Assigned Permissions issue that, in versions 2.1.4 up to but not including 2.1.6, can allow authenticated users to trigger remote command execution. PT-security and multiple CVE references converge on this issue, noting tha...
CVE-2025-54947
Apache StreamPark versions 2.0.0–2.1.7 contain a hard-coded, immutable encryption key, enabling potential decryption/ forgery of encrypted data and unauthorized access. The issue arises from using a fixed key instead of a dynamically generated or securely configured one. Upgrade to 2.1.7 is recom...