CVE-2024-29737

CWE-77 — Command Injection4 documents4 sources

Severity

4.7MEDIUM

EPSS

0.7%

top 26.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Streampark (incubating)Apache Streampark

Timeline

PublishedJul 17

Description

In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vu…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:LExploitability: 1.2 | Impact: 3.4

Affected Packages3 packages

▶NVDapache/streampark2.0.0 — 2.1.4

▶Mavenorg.apache.streampark:streampark< 2.1.4

▶CVEListV5apache_software_foundation/apache_streampark_(incubating)2.0.0 — 2.1.4

🔴Vulnerability Details

GHSA

Apache StreamPark: maven build params could trigger remote command execution↗2024-07-17

▶

CVEList

Apache StreamPark (incubating): maven build params could trigger remote command execution↗2024-07-17

▶

OSV

Apache StreamPark: maven build params could trigger remote command execution↗2024-07-17

▶