Apache StreamPark (incubating): Authenticated system users could trigger remote command execution
CVE-2023-49898
7.2HIGH
Key Information:
- Vendor
- Apache
- Vendor
- CVE Published:
- 15 December 2023
Summary
A vulnerability exists in the Streampark project module that leverages Maven's compilation capabilities, allowing unauthorized command execution. Without validation on compilation parameters, an authenticated user with system-level access could exploit this flaw. Only users logged into the Streampark system, generally trusted, can perform these actions, which minimizes the likelihood of exploitation. To mitigate this vulnerability, all users should upgrade to version 2.1.2, which addresses the issue effectively.
Affected Version(s)
Apache StreamPark (incubating) 2.0.0 < 2.1.2
References
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved