Apache StreamPipes security advisories
Security information for Apache StreamPipes
Reporting
Do you want disclose a potential security issue for Apache StreamPipes? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Leverage of User ID for Privilege Escalation
CVE-2025-47411 [CVE] [CVE json] [OSV json]
Last updated: 2026-01-01T16:41:48.353Z
Affected
- Apache StreamPipes from 0.69.0 through 0.97.0
Description
This issue affects Apache StreamPipes: through 0.97.0.
Users are recommended to upgrade to version 0.98.0, which fixes the issue.
References
Credits
- darren.xuan@mantelgroup.com.au (finder)
Possibility of SSRF in pipeline element installation process
CVE-2024-31979 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-17T09:03:15.953Z
Affected
- Apache StreamPipes through 0.93.0
Description
Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.
Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements.
These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.
This issue affects Apache StreamPipes: through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References
Credits
- L0ne1y (finder)
Potential remote code execution (RCE) via file upload
CVE-2024-31411 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-17T09:22:06.439Z
Affected
- Apache StreamPipes through 0.93.0
Description
Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes.
Such a dangerous type might be an executable file that may lead to a remote code execution (RCE).
The unrestricted upload is only possible for authenticated and authorized users.
This issue affects Apache StreamPipes: through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References
Credits
- L0ne1y (finder)
Potential creation of multiple identical accounts
CVE-2024-30471 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-17T09:01:50.452Z
Affected
- Apache StreamPipes through 0.93.0
Description
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration.
This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe’s user management.
This issue affects Apache StreamPipes: through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References
Credits
- TonyNT from VNPT-NET (finder)
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
CVE-2024-29868 [CVE] [CVE json] [OSV json]
Last updated: 2024-06-24T09:59:38.377Z
Affected
- Apache StreamPipes from 0.69.0 through 0.93.0
- Apache StreamPipes from 0.69.0 through 0.93.0
Description
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism.
This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user’s account.
This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References
Credits
- Alessandro Albani, Digital Security Division Var Group (finder)
Resources Permission Escalation
CVE-2024-24778 [CVE] [CVE json] [OSV json]
Last updated: 2025-03-03T10:37:02.610Z
Affected
- Apache StreamPipes through 0.95.1
Description
Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know.
This issue affects Apache StreamPipes: through 0.95.1.
Users are recommended to upgrade to version 0.97.0 which fixes the issue.
References
Privilege escalation through non-admin user
CVE-2023-31469 [CVE] [CVE json] [OSV json]
Last updated: 2023-06-23T07:07:40.534Z
Affected
- Apache StreamPipes from 0.69.0 through 0.91.0
Description
A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles.
The issue is resolved by upgrading to StreamPipes 0.92.0.
References
Credits
- Xun Bai, LJQC Open Source Security Institute (finder)