CVE-2022-45802 - OpenCVE

Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Streampark

Configuration 1 [-]

cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread/thwl1v2h6r3c21x1qwff08o57qzjnst6

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-05-01T14:04:57.625Z

Updated: 2024-08-03T14:17:04.058Z

Reserved: 2022-11-23T07:18:36.400Z

Link: CVE-2022-45802

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-05-01T15:15:08.943

Modified: 2023-06-26T11:15:09.653

Link: CVE-2022-45802

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-45802", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2022-11-23T07:18:36.400Z", "datePublished": "2023-05-01T14:04:57.625Z", "dateUpdated": "2024-08-03T14:17:04.058Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache StreamPark (incubating)", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.0.0", "status": "affected", "version": "1.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><div><span style=\"background-color: var(--wht);\">Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, </span><span style=\"background-color: var(--wht);\">Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later</span></div><br></div><br><br>"}], "value": "Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory,\u00a0Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later\n\n\n\n\n\n\n"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-06-26T10:23:47.893Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/thwl1v2h6r3c21x1qwff08o57qzjnst6"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache StreamPark (incubating): Upload any file to any directory", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:17:04.058Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/thwl1v2h6r3c21x1qwff08o57qzjnst6"}]}]}}