Apache Streampark vulnerabilities

CVE-2025-54947 [CRITICAL] CWE-321 CVE-2025-54947: In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded e In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analys

CVE-2025-54981 [HIGH] CWE-327 CVE-2025-54981: Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random numb Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the

CVE-2025-53960 [MEDIUM] CWE-1240 CVE-2025-53960: When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is alread

CVE-2025-30001 [HIGH] CWE-279 CVE-2025-30001: Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apa Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue.

CVE-2024-48988 [HIGH] CWE-564 CVE-2024-48988: SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts. It can only be exploited after a user ha

CVE-2024-29070 [CRITICAL] CWE-613 CVE-2024-29070: On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfu On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4

CVE-2024-34457 [MEDIUM] CWE-639 CVE-2024-34457: On versions before 2.1.4, after a regular user successfully logs in, they can manually make a reques On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4

CVE-2024-29178 [HIGH] CWE-94 CVE-2024-29178: On versions before 2.1.4, a user could log in and perform a template injection attack resulting in R On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4

CVE-2023-52291 [MEDIUM] CWE-77 CVE-2023-52291: In streampark, the project module integrates Maven's compilation capabilities. The input parameter v In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of

CVE-2024-29737 [MEDIUM] CWE-77 CVE-2024-29737: In streampark, the project module integrates Maven's compilation capabilities. The input parameter v In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of

CVE-2024-29120 [MEDIUM] CWE-212 CVE-2024-29120: In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would retur In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc. Mitigation: all users should upgrade to 2.1.4

CVE-2023-52290 [HIGH] CWE-89 CVE-2023-52290: In streampark-console the list pages(e.g: application pages), users can sort page by field. This sor In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the SQL query is generated using this field. However, because this sort field isn't validated, there is a risk of SQL injection vulnerability. The attacker must successfully log into the system to l

CVE-2023-49898 [HIGH] CWE-77 CVE-2023-49898: In streampark, there is a project module that integrates Maven's compilation capability. However, th In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissio

CVE-2023-30867 [MEDIUM] CWE-89 CVE-2023-30867: In the Streampark platform, when users log in to the system and use certain features, some pages pro In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result i

CVE-2022-45802 [CRITICAL] CWE-434 CVE-2022-45802: Streampark allows any users to upload a jar as application, but there is no mandatory verification o Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later

CVE-2022-46365 [CRITICAL] CWE-20 CVE-2022-46365: Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Us

CVE-2022-45801 [MEDIUM] CWE-74 CVE-2022-45801: Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack us Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection atta