CVE-2025-32896

CWE-306Missing Authentication4 documents4 sources
Severity
6.5MEDIUM
EPSS
0.2%
top 58.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SeatunnelApache Software Foundation Apache Seatunnel
Timeline
PublishedJun 19

Description

# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which f

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

NVDapache/seatunnel2.3.12.3.11

Patches

Patch: github.com

🔴Vulnerability Details

3
GHSA
Apache SeaTunnel: Unauthenticated insecure access2025-06-19
OSV
Apache SeaTunnel: Unauthenticated insecure access2025-06-19
CVEList
Apache SeaTunnel: Unauthenticated insecure access2025-06-19
CVE-2025-32896 (MEDIUM CVSS 6.5) | # Summary Unauthorized users can pe | cvebase.io