Headline
GHSA-rrcg-jwr5-32g7: Apache StreamPark: Authenticated system users could trigger SQL injection vulnerability
In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%’. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage.
Mitigation:
Users are recommended to upgrade to version 2.1.2, which fixes the issue.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-30867
Apache StreamPark: Authenticated system users could trigger SQL injection vulnerability
Critical severity GitHub Reviewed Published Dec 15, 2023 to the GitHub Advisory Database • Updated Dec 16, 2023
Package
maven org.apache.streampark:streampark (Maven)
Affected versions
>= 2.0.0, < 2.1.2
In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%’. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage.
Mitigation:
Users are recommended to upgrade to version 2.1.2, which fixes the issue.
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-30867
- https://lists.apache.org/thread/bhdzh6hnh04yyf3g203bbyvxryd720o2
Published to the GitHub Advisory Database
Dec 15, 2023
Last updated
Dec 16, 2023
Related news
In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage. Mitigation: Users are recommended to upgrade to version 2.1.2, which fixes the issue.