CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45801 – Apache StreamPark (incubating): LDAP Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-45801
Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. This risk may only occur when the user logs in with ldap, and the user name and password login will not be affected, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later. • https://lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45802 – Apache StreamPark (incubating): Upload any file to any directory
https://notcve.org/view.php?id=CVE-2022-45802
Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later • https://lists.apache.org/thread/thwl1v2h6r3c21x1qwff08o57qzjnst6 • CWE-434: Unrestricted Upload of File with Dangerous Type •