Apache Software Foundation Apache Streampark vulnerabilities

CVE-2025-54947 [CRITICAL] CWE-321 CVE-2025-54947: In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded e In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analys

CVE-2025-54981 [HIGH] CWE-327 CVE-2025-54981: Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random numb Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the

CVE-2025-53960 [MEDIUM] CWE-1240 CVE-2025-53960: When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is alread

CVE-2025-30001 [HIGH] CWE-279 CVE-2025-30001: Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apa Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue.

CVE-2024-48988 [HIGH] CWE-564 CVE-2024-48988: SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts. It can only be exploited after a user ha

CVE-2024-29070 [CRITICAL] CWE-613 CVE-2024-29070: On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfu On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4

CVE-2024-34457 [MEDIUM] CWE-639 CVE-2024-34457: On versions before 2.1.4, after a regular user successfully logs in, they can manually make a reques On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4

CVE-2024-29178 [HIGH] CWE-94 CVE-2024-29178: On versions before 2.1.4, a user could log in and perform a template injection attack resulting in R On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4

CVE-2024-29120 [MEDIUM] CWE-212 CVE-2024-29120: In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would retur In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc. Mitigation: all users should upgrade to 2.1.4