{"schema_version": "1.6.1", "id": "CVE-2025-32896", "summary": "Unauthenticated insecure access", "details": "# Summary\n\nUnauthorized users can perform Arbitrary File Read and Deserialization\nattack by submit job using restful api-v1.\n\n# Details\nUnauthorized users can access `/hazelcast/rest/maps/submit-job` to submit\njob.\nAn attacker can set extra params in mysql url to perform Arbitrary File\nRead and Deserialization attack.\n\nThis issue affects Apache SeaTunnel: <=2.3.10\n\n# Fixed\n\nUsers are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "2.3.1"}, {"last_affected": "2.3.1"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9"}, {"type": "WEB", "url": "https://github.com/apache/seatunnel/pull/9010"}]}