Apache StreamPark (incubating): Logic error causing any account reset
CVE-2022-46365

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Apache Streampark (incubating)
Vendor: CVE Published:; 1 May 2023

Summary

A security vulnerability in Apache StreamPark version 1.0.0 allows an authenticated user to exploit the profile modification functionality. When logged in, the application fails to verify if the username provided during a profile update belongs to the current user. This oversight allows attackers to send arbitrary usernames, potentially enabling them to modify or reset the accounts of other users. Users should upgrade to Apache StreamPark version 2.0.0 or later to mitigate this issue.

Affected Version(s)

Apache StreamPark (incubating) 1.0.0 < 2.0.0

References

https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0...

vendor-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 1, 2023
Vulnerability Reserved
Dec 2, 2022