CVE-2022-46365 - OpenCVE

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Streampark

Configuration 1 [-]

cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*

References

Link	Resource
https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h	Mailing List

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2023-05-01T14:53:50.130Z

Updated: 2023-05-01T14:53:50.130Z

Reserved: 2022-12-02T08:52:04.022Z

Link: CVE-2022-46365

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-05-01T15:15:09.013

Modified: 2023-05-09T18:04:19.747

Link: CVE-2022-46365

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-46365", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2022-12-02T08:52:04.022Z", "datePublished": "2023-05-01T14:53:50.130Z", "dateUpdated": "2023-05-01T14:53:50.130Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache StreamPark (incubating)", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "1.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\"><span style=\"background-color: rgb(255, 255, 255);\"><div><div>Apache StreamPark 1.0.0 <span style=\"background-color: rgb(255, 255, 255);\">before</span> 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, <span style=\"background-color: rgb(255, 255, 255);\">Users of the affected </span><span style=\"background-color: rgb(255, 255, 255);\">versions should upgrade to Apache StreamPark 2.0.0 or later.</span></div></div></span></span><br>"}], "value": "Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer\u00a0as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account,\u00a0Users of the affected\u00a0versions should upgrade to Apache StreamPark 2.0.0 or later.\n\n\n\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-05-01T14:53:50.130Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache StreamPark (incubating): Logic error causing any account reset", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}