Apache StreamPipes: Privilege escalation through non-admin user
CVE-2023-31469

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Streampipes
Vendor: CVE Published:; 23 June 2023

Summary

A vulnerability exists in the Apache StreamPipes REST interface that allows non-admin users with valid login credentials to gain elevated access beyond their assigned roles. This flaw impacts versions 0.69.0 through 0.91.0 and can lead to unauthorized actions within the application. To mitigate this risk, upgrading to StreamPipes version 0.92.0 is recommended as it implements the necessary restrictions to ensure that only admin users can access sensitive functionalities.

Affected Version(s)

Apache StreamPipes 0.69.0 <= 0.91.0

References

https://lists.apache.org/thread/c4y8kf9bzpf36v4bottfmd8tc...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 23, 2023
Vulnerability Reserved
Apr 28, 2023

Credit

Xun Bai, LJQC Open Source Security Institute