CVE-2023-49898 — Command Injection in Software Foundation Apache Streampark

CWE-77 — Command Injection4 documents4 sources

Severity

7.2HIGHNVD

EPSS

1.9%

top 16.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Streampark Apache Streampark

Timeline

PublishedDec 15

Description

In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. There…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/streampark2.0.0 — 2.1.2

▶CVEListV5apache_software_foundation/apache_streampark2.0.0 — 2.1.2

🔴Vulnerability Details

GHSA

Apache StreamPark: Authenticated system users could trigger remote command execution↗2023-12-15

▶

CVEList

Apache StreamPark (incubating): Authenticated system users could trigger remote command execution↗2023-12-15

▶

OSV

Apache StreamPark: Authenticated system users could trigger remote command execution↗2023-12-15

▶