GHSA-3hg2-rh4r-8qf6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3hg2-rh4r-8qf6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-3hg2-rh4r-8qf6/GHSA-3hg2-rh4r-8qf6.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-3hg2-rh4r-8qf6
- Aliases
-
- CVE-2025-53960
- Published
- 2025-12-12T18:30:35Z
- Modified
- 2025-12-12T20:41:19.097260Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Apache StreamPark: Use the user’s password as the secret key Vulnerability
- Details
-
When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information.
This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.
Users are recommended to upgrade to version 2.1.7, which fixes the issue.
- Database specific
{ "nvd_published_at": "2025-12-12T16:15:44Z", "github_reviewed_at": "2025-12-12T20:19:56Z", "cwe_ids": [ "CWE-1240" ], "severity": "HIGH", "github_reviewed": true }- References
Affected packages
Maven / org.apache.streampark:streampark
Package
- Name
- org.apache.streampark:streampark
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.streampark/streampark