CVE-2024-31979 - Vulnerability Details - OpenCVE

Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.
Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements.
These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.
This issue affects Apache StreamPipes: through 0.93.0.

Users are recommended to upgrade to version 0.95.0, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00711.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Streampipes

Configuration 1 [-]

cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-9gr7-gh74-qg9x	Apache StreamPipes has possibility of SSRF in pipeline element installation process

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/07/16/11
https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y

History

Fri, 13 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2024/07/16/11
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-07-17T09:04:47.677Z

Updated: 2024-09-13T17:04:43.686Z

Reserved: 2024-04-08T12:12:26.266Z

Link: CVE-2024-31979

Vulnrichment

Updated: 2024-09-13T17:04:43.686Z

NVD

Status : Modified

Published: 2024-07-17T09:15:02.907

Modified: 2024-11-21T09:14:16.167

Link: CVE-2024-31979

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31979", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-04-08T12:12:26.266Z", "datePublished": "2024-07-17T09:04:47.677Z", "dateUpdated": "2024-09-13T17:04:43.686Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache StreamPipes", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "0.93.0", "status": "affected", "version": "0", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "finder", "value": "L0ne1y"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.<br>Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. <br>These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.<br><p>This issue affects Apache StreamPipes: through 0.93.0.</p><p>Users are recommended to upgrade to version 0.95.0, which fixes the issue.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.\nPreviously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. \nThese endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-17T09:04:47.677Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache StreamPipes: Possibility of SSRF in pipeline element installation process", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "apache", "product": "streampipes", "cpes": ["cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.93.0", "versionType": "maven"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-17T15:40:31.334390Z", "id": "CVE-2024-31979", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T15:45:08.448Z"}}, {"title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/16/11"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:04:43.686Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/16/11"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:04:43.686Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-31979", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-17T15:40:31.334390Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "streampipes", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "0.93.0"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T15:43:35.380Z"}}], "cna": {"title": "Apache StreamPipes: Possibility of SSRF in pipeline element installation process", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "L0ne1y"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache StreamPipes", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "0.93.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.\nPreviously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. \nThese endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.<br>Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. <br>These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.<br><p>This issue affects Apache StreamPipes: through 0.93.0.</p><p>Users are recommended to upgrade to version 0.95.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-17T09:04:47.677Z"}}}, "cveMetadata": {"cveId": "CVE-2024-31979", "state": "PUBLISHED", "dateUpdated": "2024-09-13T17:04:43.686Z", "dateReserved": "2024-04-08T12:12:26.266Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-07-17T09:04:47.677Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5EC9EC8-4988-4DAC-A92F-CCDED7F9CB52", "versionEndExcluding": "0.95.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.\nPreviously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. \nThese endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de Server-Side Request Forgery (SSRF) en Apache StreamPipes durante el proceso de instalaci\u00f3n de elementos de canalizaci\u00f3n. Anteriormente, StreamPipes permit\u00eda a los usuarios configurar endpoints personalizados desde los cuales instalar elementos de canalizaci\u00f3n adicionales. Estos endpoints no se validaron adecuadamente, lo que permiti\u00f3 que un atacante lograra que StreamPipes enviara una solicitud HTTP GET a una direcci\u00f3n arbitraria. Este problema afecta a Apache StreamPipes: hasta 0.93.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.95.0, que soluciona el problema."}], "id": "CVE-2024-31979", "lastModified": "2024-11-21T09:14:16.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-17T09:15:02.907", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/07/16/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@apache.org", "type": "Secondary"}]}