{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-45801", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2022-11-23T07:18:12.724Z", "datePublished": "2023-05-01T14:50:11.110Z", "dateUpdated": "2024-08-03T14:17:04.092Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache StreamPark (incubating)", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "1.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div><span style=\"background-color: rgb(255, 255, 255);\">Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.</span><br><span style=\"background-color: rgb(255, 255, 255);\">LDAP Injection is an attack used to exploit web based applications</span><br><span style=\"background-color: rgb(255, 255, 255);\">that construct LDAP statements based on user input. When an</span><br><span style=\"background-color: rgb(255, 255, 255);\">application fails to properly sanitize user input, it's possible to</span><br><span style=\"background-color: rgb(255, 255, 255);\">modify LDAP statements through techniques similar to SQL Injection.</span><br><span style=\"background-color: rgb(255, 255, 255);\">LDAP injection attacks could result in the granting of permissions to</span><br><span style=\"background-color: rgb(255, 255, 255);\">unauthorized queries, and content modification inside the LDAP tree.</span><br><span style=\"background-color: rgb(255, 255, 255);\">This risk may only occur when the user logs in with ldap, and the user</span><br><span style=\"background-color: rgb(255, 255, 255);\">name and password login will not be affected, Users of the affected</span><br><span style=\"background-color: rgb(255, 255, 255);\">versions should upgrade to Apache StreamPark 2.0.0 or later.</span><br><br></div></div><br>"}], "value": "Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.\nLDAP Injection is an attack used to exploit web based applications\nthat construct LDAP statements based on user input. When an\napplication fails to properly sanitize user input, it's possible to\nmodify LDAP statements through techniques similar to SQL Injection.\nLDAP injection attacks could result in the granting of permissions to\nunauthorized queries, and content modification inside the LDAP tree.\nThis risk may only occur when the user logs in with ldap, and the user\nname and password login will not be affected, Users of the affected\nversions should upgrade to Apache StreamPark 2.0.0 or later.\n\n\n\n\n\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-05-01T14:50:11.110Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache StreamPark (incubating): LDAP Injection Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:17:04.092Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*", "matchCriteriaId": "18DFDC98-85AB-453B-AC21-4FA48A193C46", "versionEndExcluding": "2.0.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.\nLDAP Injection is an attack used to exploit web based applications\nthat construct LDAP statements based on user input. When an\napplication fails to properly sanitize user input, it's possible to\nmodify LDAP statements through techniques similar to SQL Injection.\nLDAP injection attacks could result in the granting of permissions to\nunauthorized queries, and content modification inside the LDAP tree.\nThis risk may only occur when the user logs in with ldap, and the user\nname and password login will not be affected, Users of the affected\nversions should upgrade to Apache StreamPark 2.0.0 or later.\n\n\n\n\n\n\n"}], "id": "CVE-2022-45801", "lastModified": "2023-05-09T18:09:27.697", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-01T15:15:08.790", "references": [{"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security@apache.org", "type": "Primary"}]}

{}