CVE-2022-46365

CWE-20 — Improper Input Validation4 documents4 sources

Severity

9.1CRITICAL

EPSS

0.1%

top 80.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Streampark (incubating)Apache Streampark

Timeline

PublishedMay 1

Latest updateJul 6

Description

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶NVDapache/streampark1.0.0 — 2.0.0

▶Mavenorg.apache.streampark:streampark1.0.0 — 2.0.0

▶CVEListV5apache_software_foundation/apache_streampark_(incubating)1.0.0 — 2.0.0

🔴Vulnerability Details

OSV

Apache StreamPark Improper Input Validation vulnerability↗2023-07-06

▶

GHSA

Apache StreamPark Improper Input Validation vulnerability↗2023-07-06

▶

CVEList

Apache StreamPark (incubating): Logic error causing any account reset↗2023-05-01

▶