Description

Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later

Remediation

References

https://lists.apache.org/thread/thwl1v2h6r3c21x1qwff08o57qzjnst6

Related Vulnerabilities

CVE-2020-13920 Vulnerability in maven package org.apache.activemq:activemq-core

CVE-2019-3795 Vulnerability in maven package org.springframework.security:spring-security-core

CVE-2017-7684 Vulnerability in maven package org.apache.openmeetings:openmeetings-server

CVE-2019-17556 Vulnerability in maven package org.apache.olingo:odata-client-proxy

CVE-2021-36162 Vulnerability in maven package org.apache.dubbo:dubbo-cluster

Severity

Critical

Classification

CWE-434 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List