CVE-2025-32896— Apache SeaTunnel: Unauthenticated insecure access

Apache SeaTunnel: Unauthenticated insecure access

# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

N/A

关键功能的认证机制缺失

Apache SeaTunnel 访问控制错误漏洞

Apache SeaTunnel是美国阿帕奇（Apache）基金会的一个简单易用的数据集成框架。 Apache SeaTunnel 2.3.10及之前版本存在访问控制错误漏洞，该漏洞源于未授权用户可以通过restful api-v1提交作业执行任意文件读取和反序列化攻击。

N/A

N/A