// For flags

CVE-2023-30867

Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerability

Severity Score

4.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage. Mitigation: Users are recommended to upgrade to version 2.1.2, which fixes the issue.

En la plataforma Streampark, cuando los usuarios inician sesión en el sistema y utilizan ciertas funciones, algunas páginas proporcionan una búsqueda difusa basada en nombres, como nombres de trabajos, nombres de funciones, etc. La sintaxis SQL: select* de la tabla donde '%jobName%' gusta. Sin embargo, el campo jobName puede recibir parámetros no válidos, lo que provocará una inyección de SQL. Esto podría resultar potencialmente en una fuga de información. Mitigación: se recomienda a los usuarios actualizar a la versión 2.1.2, que soluciona el problema.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Multiple
Confidentiality
Complete
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-04-19 CVE Reserved
  • 2023-12-15 CVE Published
  • 2024-08-02 CVE Updated
  • 2025-05-05 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://lists.apache.org/thread/bhdzh6hnh04yyf3g203bbyvxryd720o2 2023-12-21
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Streampark
Search vendor "Apache" for product "Streampark"
 >= 2.0.0 < 2.1.2
Search vendor "Apache" for product "Streampark" and version " >= 2.0.0 < 2.1.2"
-
Affected