Base Score

CRITICAL9.8

CVE-2022-45802

Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later

VectorNETWORK

Published Bysecurity@apache.org

Published DateMay 01, 2023, 15:15

Affected Versions(2)

org.apache.streampark:streampark-common_2.12(Maven)

Introduced0

Fixed2.0.0

LimitN/A

org.apache.streampark:streampark-common_2.11(Maven)

Introduced0

Fixed2.0.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.apache.streampark:streampark-common_2.12(Maven)	0	2.0.0	N/A
org.apache.streampark:streampark-common_2.11(Maven)	0	2.0.0	N/A

Weakness Type (CWE):CWE-434

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://lists.apache.org/thread/thwl1v2h6r3c21x1qwff08o57qzjnst6

Base Score

CRITICAL9.8

Weakness Type (CWE):CWE-434

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH