CVE-2022-46365

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h	Mailing List
https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h	Mailing List

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:30

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h - Mailing List~~	() https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h - Mailing List

Information

Published : 2023-05-01 15:15

Updated : 2024-11-21 07:30

NVD link : CVE-2022-46365

Mitre link : CVE-2022-46365

CVE.ORG link : CVE-2022-46365

JSON object : View

Products Affected

apache

streampark

CWE

CWE-20

Improper Input Validation

NVD-CWE-noinfo

{"id": "CVE-2022-46365", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2023-05-01T15:15:09.013", "references": [{"url": "https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer\u00a0as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account,\u00a0Users of the affected\u00a0versions should upgrade to Apache StreamPark 2.0.0 or later.\n\n\n\n\n"}], "lastModified": "2024-11-21T07:30:28.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18DFDC98-85AB-453B-AC21-4FA48A193C46", "versionEndExcluding": "2.0.0", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}