CVE-2024-29178— Apache StreamPark: FreeMarker SSTI RCE Vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-29178
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache StreamPark: FreeMarker SSTI RCE Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache StreamPark 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache StreamPark是美国阿帕奇(Apache)基金会的一个流媒体应用程序开发框架。 Apache StreamPark 2.1.4之前版本存在代码注入漏洞,该漏洞源于用户可以登录并执行模板注入攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPark | 1.0.0 ~ 2.1.4 | - |
II. Public POCs for CVE-2024-29178
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-29178
请登录查看更多情报信息。
Same Patch Batch · Apache Software Foundation · 2024-07-18 · 3 CVEs total
| CVE-2024-40898 | Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows | |
| CVE-2024-40725 | Apache HTTP Server: source code disclosure with handlers configured via AddType |
IV. Related Vulnerabilities
Same product: Apache StreamPark
- CVE-2025-53960
Apache StreamPark: Uses the user’s password as the secret ke - CVE-2025-54947
Apache StreamPark: Use hard-coded key vulnerability - CVE-2025-54981
Apache StreamPark: Weak Encryption Algorithm in StreamPark - CVE-2025-30001
Apache StreamPark: Authenticated users can trigger remote co - CVE-2024-48988
Apache StreamPark: SQL injection vulnerability
Same vendor: Apache Software Foundation
- CVE-2026-35194
Apache Flink: Remote code execution via SQL injection in cod - CVE-2026-45205
Apache Commons Configuration: StackOverflowError for YAML in - CVE-2026-43515
Apache Tomcat: Security constraints not correctly applied - CVE-2026-43514
Apache Tomcat: AJP secret compared in non-constant time - CVE-2026-43513
Apache Tomcat: LockOutRealm treats user names as case-sensit
Same weakness: CWE-94
- CVE-2021-47952
python jsonpickle 2.0.0 Remote Code Execution via py/repr - CVE-2021-47964
Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanag - CVE-2026-44717
MCP Calculate Server: Prompt Injection to RCE - CVE-2026-41258
OpenMRS: Stored Velocity SSTI to RCE via ConceptReferenceRan - CVE-2026-35194
Apache Flink: Remote code execution via SQL injection in cod
V. Comments for CVE-2024-29178
No comments yet