In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage.
Mitigation:
Users are recommended to upgrade to version 2.1.2, which fixes the issue.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/bhdzh6hnh04yyf3g203bbyvxryd720o2 | Mailing List Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2023-12-15T12:14:02.074Z
Updated: 2023-12-15T12:14:02.074Z
Reserved: 2023-04-19T10:43:44.618Z
Link: CVE-2023-30867
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-12-15T13:15:07.223
Modified: 2023-12-21T19:58:39.513
Link: CVE-2023-30867
JSON object: View
Redhat Information
No data.
CWE