Vulnerabilites related to apache - streampipes
Vulnerability from fkie_nvd
Published
2024-07-17 09:15
Modified
2024-11-21 09:11
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration.
This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe's user management.
This issue affects Apache StreamPipes: through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/16/9 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampipes | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5EC9EC8-4988-4DAC-A92F-CCDED7F9CB52",
"versionEndExcluding": "0.95.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration.\nThis allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe\u0027s user management.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"
},
{
"lang": "es",
"value": "Vulnerabilidad de condici\u00f3n de ejecuci\u00f3n de tiempo de verificaci\u00f3n de tiempo de uso (TOCTOU) en Apache StreamPipes en el registro autom\u00e1tico del usuario. Esto permite que un atacante solicite potencialmente la creaci\u00f3n de varias cuentas con la misma direcci\u00f3n de correo electr\u00f3nico hasta que se registre la direcci\u00f3n de correo electr\u00f3nico, lo que crea muchos usuarios id\u00e9nticos y corrompe la administraci\u00f3n de usuarios de StreamPipe. Este problema afecta a Apache StreamPipes: hasta 0.93.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.95.0, que soluciona el problema."
}
],
"id": "CVE-2024-30471",
"lastModified": "2024-11-21T09:11:59.580",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-17T09:15:02.640",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/07/16/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-367"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-367"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-23 08:15
Modified
2024-11-21 08:01
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles.
The issue is resolved by upgrading to StreamPipes 0.92.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/c4y8kf9bzpf36v4bottfmd8tc9cxo19m | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/c4y8kf9bzpf36v4bottfmd8tc9cxo19m | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampipes | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8795B46E-989D-4D94-B8B0-C2DAAA7E4823",
"versionEndIncluding": "0.91.0",
"versionStartIncluding": "0.69.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nA REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles.\nThe issue is resolved by upgrading to StreamPipes 0.92.0.\n\n"
}
],
"id": "CVE-2023-31469",
"lastModified": "2024-11-21T08:01:55.840",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-06-23T08:15:09.220",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/c4y8kf9bzpf36v4bottfmd8tc9cxo19m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/c4y8kf9bzpf36v4bottfmd8tc9cxo19m"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-17 09:15
Modified
2024-11-21 09:14
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.
Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements.
These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.
This issue affects Apache StreamPipes: through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/16/11 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampipes | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5EC9EC8-4988-4DAC-A92F-CCDED7F9CB52",
"versionEndExcluding": "0.95.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.\nPreviously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. \nThese endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"
},
{
"lang": "es",
"value": "Vulnerabilidad de Server-Side Request Forgery (SSRF) en Apache StreamPipes durante el proceso de instalaci\u00f3n de elementos de canalizaci\u00f3n. Anteriormente, StreamPipes permit\u00eda a los usuarios configurar endpoints personalizados desde los cuales instalar elementos de canalizaci\u00f3n adicionales. Estos endpoints no se validaron adecuadamente, lo que permiti\u00f3 que un atacante lograra que StreamPipes enviara una solicitud HTTP GET a una direcci\u00f3n arbitraria. Este problema afecta a Apache StreamPipes: hasta 0.93.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.95.0, que soluciona el problema."
}
],
"id": "CVE-2024-31979",
"lastModified": "2024-11-21T09:14:16.167",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-17T09:15:02.907",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/07/16/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-17 10:15
Modified
2024-11-21 09:13
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
6.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
Summary
Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes.
Such a dangerous type might be an executable file that may lead to a remote code execution (RCE).
The unrestricted upload is only possible for authenticated and authorized users.
This issue affects Apache StreamPipes: through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/16/10 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | streampipes | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5EC9EC8-4988-4DAC-A92F-CCDED7F9CB52",
"versionEndExcluding": "0.95.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes.\nSuch a dangerous type might be an executable file that may lead to a remote code execution (RCE).\nThe unrestricted upload is only possible for authenticated and authorized users.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"
},
{
"lang": "es",
"value": "Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Apache StreamPipes. Un tipo tan peligroso podr\u00eda ser un archivo ejecutable que pueda conducir a una ejecuci\u00f3n remota de c\u00f3digo (RCE). La carga sin restricciones s\u00f3lo es posible para usuarios autenticados y autorizados. Este problema afecta a Apache StreamPipes: hasta 0.93.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.95.0, que soluciona el problema."
}
],
"id": "CVE-2024-31411",
"lastModified": "2024-11-21T09:13:28.803",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-17T10:15:01.810",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/07/16/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
cve-2024-31411
Vulnerability from cvelistv5
Published
2024-07-17 09:22
Modified
2024-09-13 17:04
Severity ?
EPSS score ?
Summary
Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes.
Such a dangerous type might be an executable file that may lead to a remote code execution (RCE).
The unrestricted upload is only possible for authenticated and authorized users.
This issue affects Apache StreamPipes: through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPipes |
Version: 0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache_software_foundation:apache_streampipes:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "apache_streampipes",
"vendor": "apache_software_foundation",
"versions": [
{
"lessThanOrEqual": "0.93.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T18:40:39.187523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T18:43:54.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-13T17:04:42.752Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/16/10"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPipes",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.93.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes.\u003cbr\u003eSuch a dangerous type might be an executable file that may lead to a remote code execution (RCE).\u003cbr\u003eThe unrestricted upload is only possible for authenticated and authorized users.\u003cbr\u003e\u003cp\u003eThis issue affects Apache StreamPipes: through 0.93.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes.\nSuch a dangerous type might be an executable file that may lead to a remote code execution (RCE).\nThe unrestricted upload is only possible for authenticated and authorized users.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T09:22:08.507Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/b0657okbwzg5xxs11hphvc9qrd9s70mt"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache StreamPipes: Potential remote code execution (RCE) via file upload",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31411",
"datePublished": "2024-07-17T09:22:08.507Z",
"dateReserved": "2024-04-03T10:48:25.894Z",
"dateUpdated": "2024-09-13T17:04:42.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-31979
Vulnerability from cvelistv5
Published
2024-07-17 09:04
Modified
2024-09-13 17:04
Severity ?
EPSS score ?
Summary
Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.
Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements.
These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.
This issue affects Apache StreamPipes: through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPipes |
Version: 0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "streampipes",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "0.93.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-31979",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T15:40:31.334390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T15:45:08.448Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-13T17:04:43.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/16/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPipes",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.93.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "L0ne1y"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.\u003cbr\u003ePreviously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. \u003cbr\u003eThese endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.\u003cbr\u003e\u003cp\u003eThis issue affects Apache StreamPipes: through 0.93.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.\nPreviously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. \nThese endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T09:04:47.677Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache StreamPipes: Possibility of SSRF in pipeline element installation process",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-31979",
"datePublished": "2024-07-17T09:04:47.677Z",
"dateReserved": "2024-04-08T12:12:26.266Z",
"dateUpdated": "2024-09-13T17:04:43.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-31469
Vulnerability from cvelistv5
Published
2023-06-23 07:07
Modified
2024-10-09 15:11
Severity ?
EPSS score ?
Summary
A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles.
The issue is resolved by upgrading to StreamPipes 0.92.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/c4y8kf9bzpf36v4bottfmd8tc9cxo19m | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPipes |
Version: 0.69.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:53:30.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/c4y8kf9bzpf36v4bottfmd8tc9cxo19m"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "streampipes",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "0.91.0",
"status": "affected",
"version": "0.69.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-31469",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T15:01:53.115769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T15:11:39.555Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPipes",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.91.0",
"status": "affected",
"version": "0.69.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Xun Bai, LJQC Open Source Security Institute"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nA REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ewas not properly restricted to admin-only access. This \u003c/span\u003eallowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles.\u003cbr\u003eThe issue is resolved by upgrading to StreamPipes 0.92.0.\n\n"
}
],
"value": "\nA REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles.\nThe issue is resolved by upgrading to StreamPipes 0.92.0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-23T07:07:42.875Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/c4y8kf9bzpf36v4bottfmd8tc9cxo19m"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache StreamPipes: Privilege escalation through non-admin user",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-31469",
"datePublished": "2023-06-23T07:07:42.875Z",
"dateReserved": "2023-04-28T19:12:18.352Z",
"dateUpdated": "2024-10-09T15:11:39.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-30471
Vulnerability from cvelistv5
Published
2024-07-17 09:01
Modified
2024-09-13 17:04
Severity ?
EPSS score ?
Summary
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration.
This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe's user management.
This issue affects Apache StreamPipes: through 0.93.0.
Users are recommended to upgrade to version 0.95.0, which fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache StreamPipes |
Version: 0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "streampipes",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "0.93.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-30471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T20:12:54.973832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T20:14:46.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-13T17:04:36.497Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/16/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache StreamPipes",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "0.93.0",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "TonyNT from VNPT-NET"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration.\u003cbr\u003eThis allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe\u0027s user management.\u003cbr\u003e\u003cp\u003eThis issue affects Apache StreamPipes: through 0.93.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache StreamPipes in user self-registration.\nThis allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and corrupting StreamPipe\u0027s user management.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T09:01:52.214Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/8yodrmohgcybq900or3d4hc1msl230fr"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache StreamPipes: Potential creation of multiple identical accounts",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-30471",
"datePublished": "2024-07-17T09:01:52.214Z",
"dateReserved": "2024-03-27T09:17:45.583Z",
"dateUpdated": "2024-09-13T17:04:36.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}