{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-53960", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-07-15T15:10:34.714Z", "datePublished": "2025-12-12T15:15:49.443Z", "dateUpdated": "2025-12-12T18:47:22.376Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache StreamPark", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.1.7", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "omkar parkhe <omkarparth@gmail.com>"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p></p><div><div><p>When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information.</p></div></div><div><div></div></div><br>This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.<p></p><p>Users are recommended to upgrade to version 2.1.7, which fixes the issue.</p>"}], "value": "When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information.\n\n\n\n\n\n\n\n\n\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1240", "description": "CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-12-12T15:15:49.443Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache StreamPark: Uses the user\u2019s password as the secret key", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/12/04/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-12-12T16:05:44.468Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-12T18:47:19.959060Z", "id": "CVE-2025-53960", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T18:47:22.376Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2025/12/04/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-12-12T16:05:44.468Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-53960", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-12T18:47:19.959060Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-12T18:46:30.253Z"}}], "cna": {"title": "Apache StreamPark: Uses the user\u2019s password as the secret key", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "omkar parkhe <omkarparth@gmail.com>"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache StreamPark", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information.\n\n\n\n\n\n\n\n\n\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p></p><div><div><p>When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information.</p></div></div><div><div></div></div><br>This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.<p></p><p>Users are recommended to upgrade to version 2.1.7, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1240", "description": "CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-12-12T15:15:49.443Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53960", "state": "PUBLISHED", "dateUpdated": "2025-12-12T18:47:22.376Z", "dateReserved": "2025-07-15T15:10:34.714Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-12-12T15:15:49.443Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information.\n\n\n\n\n\n\n\n\n\n\nThis issue affects Apache StreamPark: from 2.0.0 before 2.1.7.\n\nUsers are recommended to upgrade to version 2.1.7, which fixes the issue."}], "id": "CVE-2025-53960", "lastModified": "2025-12-12T19:16:02.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-12T16:15:44.463", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2025/12/04/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1240"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{}