CVE-2025-32896

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-32896
# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/apache/seatunnel/pull/9010 Issue Tracking Patch
https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9 Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/04/12/1 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:seatunnel:*:*:*:*:*:*:*:*
History

08 Jul 2025, 13:05

Type Values Removed Values Added
References () https://github.com/apache/seatunnel/pull/9010 - () https://github.com/apache/seatunnel/pull/9010 - Issue Tracking, Patch
References () https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9 - () https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9 - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2025/04/12/1 - () http://www.openwall.com/lists/oss-security/2025/04/12/1 - Mailing List, Third Party Advisory
First Time Apache
Apache seatunnel
CPE cpe:2.3:a:apache:seatunnel:*:*:*:*:*:*:*:*

20 Jun 2025, 14:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
Summary
  • (es) Resumen: Usuarios no autorizados pueden realizar ataques de lectura arbitraria de archivos y deserialización al enviar trabajos con RESTful API-v1. # Detalles: Usuarios no autorizados pueden acceder a `/hazelcast/rest/maps/submit-job` para enviar trabajos. Un atacante puede establecer parámetros adicionales en la URL de MySQL para realizar ataques de lectura arbitraria de archivos y deserialización. Este problema afecta a Apache SeaTunnel: &lt;=2.3.10 # Corregido: Se recomienda a los usuarios actualizar a la versión 2.3.11 y habilitar RESTful API-v2 y la autenticación bidireccional HTTPS abierta, lo que soluciona el problema.

19 Jun 2025, 11:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-19 11:15

Updated : 2025-07-08 13:05

NVD link : CVE-2025-32896

Mitre link : CVE-2025-32896

CVE.ORG link : CVE-2025-32896

JSON object : View

Products Affected

apache

  • seatunnel
CWE
CWE-306

Missing Authentication for Critical Function