GHSA-9gr7-gh74-qg9x

Suggest an improvement
Source
https://github.com/advisories/GHSA-9gr7-gh74-qg9x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-9gr7-gh74-qg9x/GHSA-9gr7-gh74-qg9x.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9gr7-gh74-qg9x
Aliases
Published
2024-07-17T09:30:49Z
Modified
2024-07-25T20:49:25.921944Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Apache StreamPipes has possibility of SSRF in pipeline element installation process
Details

Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.

This issue affects Apache StreamPipes: through 0.93.0.

Users are recommended to upgrade to version 0.95.0, which fixes the issue.

Database specific
{
    "nvd_published_at": "2024-07-17T09:15:02Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-18T20:19:47Z"
}
References

Affected packages

Maven / org.apache.streampipes:streampipes-parent

Package

Name
org.apache.streampipes:streampipes-parent
View open source insights on deps.dev
Purl
pkg:maven/org.apache.streampipes/streampipes-parent

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.95.0

Affected versions

0.*

0.66.0
0.67.0
0.68.0
0.69.0
0.70.0
0.90.0
0.91.0
0.92.0
0.93.0