CVE-2022-45802

CWE-434 — Unrestricted File Upload CWE-22 — Path Traversal4 documents4 sources

Severity

9.8CRITICAL

EPSS

0.1%

top 71.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Streampark (incubating)Apache Streampark

Timeline

PublishedMay 1

Latest updateJul 6

Description

Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶NVDapache/streampark< 2.0.0

▶Mavenorg.apache.streampark:streampark-common_2.11< 2.0.0

▶Mavenorg.apache.streampark:streampark-common_2.12< 2.0.0

▶CVEListV5apache_software_foundation/apache_streampark_(incubating)1.0.0 — 2.0.0

🔴Vulnerability Details

GHSA

Apache StreamPark Path Traversal vulnerability↗2023-07-06

▶

OSV

Apache StreamPark Path Traversal vulnerability↗2023-07-06

▶

CVEList

Apache StreamPark (incubating): Upload any file to any directory↗2023-05-01

▶