CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53960 – Apache StreamPark: Uses the user’s password as the secret key
https://notcve.org/view.php?id=CVE-2025-53960
12 Dec 2025 — When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. When issuing JSON Web Tokens (JWT)... • https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy • CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54947 – Apache StreamPark: Use hard-coded key vulnerability
https://notcve.org/view.php?id=CVE-2025-54947
12 Dec 2025 — In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apa... • https://lists.apache.org/thread/kdntmzyzrco75x9q6mc6s8lty1fxmog1 • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54981 – Apache StreamPark: Weak Encryption Algorithm in StreamPark
https://notcve.org/view.php?id=CVE-2025-54981
12 Dec 2025 — Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including ... • https://lists.apache.org/thread/9rbvdvwg5fdhzjdgyrholgso53r26998 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30001 – Apache StreamPark: Authenticated users can trigger remote command execution
https://notcve.org/view.php?id=CVE-2025-30001
10 Oct 2025 — Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. • https://lists.apache.org/thread/xfmsvhkcnr1831n0w5ovy3p44lsmfb7m • CWE-279: Incorrect Execution-Assigned Permissions •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48988 – Apache StreamPark: SQL injection vulnerability
https://notcve.org/view.php?id=CVE-2024-48988
22 Aug 2025 — SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts. It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). As a result, the associated risk is ... • https://lists.apache.org/thread/26ng8388l93zwjrst560cbjz9x7wpq1s • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-564: SQL Injection: Hibernate •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29070 – Apache StreamPark: session not invalidated after logout
https://notcve.org/view.php?id=CVE-2024-29070
23 Jul 2024 — On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4 En versiones anteriores a la 2.1.4, la sesión no se invalida después de cerrar sesión. Cuando el usuario inicia sesión correctamente, el servicio Backend devuelve "Authorization" como credencial... • https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl • CWE-613: Insufficient Session Expiration •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34457 – Apache StreamPark IDOR Vulnerability
https://notcve.org/view.php?id=CVE-2024-34457
22 Jul 2024 — On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4 En versiones anteriores a la 2.1.4, después de que un usuario normal inicia sesión con éxito, puede realizar una solicitud manualmente utilizando el token de autorización para ver la información de flink de todos los usuarios, incluidos runSQL y config. Miti... • http://www.openwall.com/lists/oss-security/2024/07/22/2 • CWE-269: Improper Privilege Management CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.0EPSS: 12%CPEs: 1EXPL: 0CVE-2024-29178 – Apache StreamPark: FreeMarker SSTI RCE Vulnerability
https://notcve.org/view.php?id=CVE-2024-29178
18 Jul 2024 — On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4 En versiones anteriores a la 2.1.4, un usuario podía iniciar sesión y realizar un ataque de inyección de plantilla que generaba una ejecución remota de código en el servidor. El atacante debía iniciar sesión correc... • http://www.openwall.com/lists/oss-security/2024/07/18/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29120 – Apache StreamPark: Information leakage vulnerability
https://notcve.org/view.php?id=CVE-2024-29120
17 Jul 2024 — In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc. Mitigation: all users should upgrade to 2.1.4 En Streampark (versión <2.1.4), cuando un usuario iniciaba sesión correctamente, el servicio backend devolvía "Autorización" como credencial de autenticación de front-e... • http://www.openwall.com/lists/oss-security/2024/07/17/4 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer CWE-922: Insecure Storage of Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29737 – Apache StreamPark (incubating): maven build params could trigger remote command execution
https://notcve.org/view.php?id=CVE-2024-29737
17 Jul 2024 — In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability ... • http://www.openwall.com/lists/oss-security/2024/07/17/2 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •