CVE-2022-45801

{"id": "CVE-2022-45801", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2023-05-01T15:15:08.790", "references": [{"url": "https://lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9", "tags": ["Mailing List"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.\nLDAP Injection is an attack used to exploit web based applications\nthat construct LDAP statements based on user input. When an\napplication fails to properly sanitize user input, it's possible to\nmodify LDAP statements through techniques similar to SQL Injection.\nLDAP injection attacks could result in the granting of permissions to\nunauthorized queries, and content modification inside the LDAP tree.\nThis risk may only occur when the user logs in with ldap, and the user\nname and password login will not be affected, Users of the affected\nversions should upgrade to Apache StreamPark 2.0.0 or later.\n\n\n\n\n\n\n"}], "lastModified": "2023-05-09T18:09:27.697", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18DFDC98-85AB-453B-AC21-4FA48A193C46", "versionEndExcluding": "2.0.0", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}