CVE-2023-30867

Опубликовано: 15 дек. 2023

Источник: nvd

CVSS3: 4.9

EPSS Низкий

Описание

In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage.

Mitigation:

Users are recommended to upgrade to version 2.1.2, which fixes the issue.

Ссылки

https://lists.apache.org/thread/bhdzh6hnh04yyf3g203bbyvxryd720o2
Mailing List
Vendor Advisory
https://lists.apache.org/thread/bhdzh6hnh04yyf3g203bbyvxryd720o2
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.1.2 (исключая)

EPSS

Процентиль: 60%

0.00402

Низкий

4.9 Medium

CVSS3

Дефекты

CWE-89

Связанные уязвимости

GHSA-rrcg-jwr5-32g7