CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
30.0%
org.apache.streampark, streampark is vulnerable to Remote Code Execution. The vulnerability is caused due to a missing check on the compilation parameters of maven used in a project module that is used to integrate Maven’s compilation capability. This can lead to an attacker inserting remote commands while executing maven commands leading to Remote Command Execution. The prerequisite for this vulnerability is that the user needs to log in to the streampark system and have system-level permissions.
github.com/advisories/GHSA-qg44-xqwj-wc28
github.com/apache/incubator-streampark/commit/92848d86dae043509adc39e27a394aaf8e11cdda
github.com/apache/incubator-streampark/commit/b1132fe1368c49ea0fce2a46d1dfc58031ace089
github.com/apache/incubator-streampark/pull/3367
github.com/apache/incubator-streampark/pull/3368
lists.apache.org/thread/qj99c03r4td35f8gbxq084b8qmv2fyr3