CVE-2024-31979

Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*

History

25 Jul 2024, 13:38

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de Server-Side Request Forgery (SSRF) en Apache StreamPipes durante el proceso de instalación de elementos de canalización. Anteriormente, StreamPipes permitía a los usuarios configurar endpoints personalizados desde los cuales instalar elementos de canalización adicionales. Estos endpoints no se validaron adecuadamente, lo que permitió que un atacante lograra que StreamPipes enviara una solicitud HTTP GET a una dirección arbitraria. Este problema afecta a Apache StreamPipes: hasta 0.93.0. Se recomienda a los usuarios actualizar a la versión 0.95.0, que soluciona el problema.
CPE		cpe:2.3:a:apache:streampipes::::::::
References	~~() https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y -~~	() https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y - Mailing List, Vendor Advisory
First Time		Apache streampipes Apache
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3

17 Jul 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-17 09:15

Updated : 2024-08-01 13:51

NVD link : CVE-2024-31979

Mitre link : CVE-2024-31979

CVE.ORG link : CVE-2024-31979

JSON object : View

Products Affected

apache

streampipes

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-31979", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-07-17T09:15:02.907", "references": [{"url": "https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements.\nPreviously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. \nThese endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address.\nThis issue affects Apache StreamPipes: through 0.93.0.\n\nUsers are recommended to upgrade to version 0.95.0, which fixes the issue.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de Server-Side Request Forgery (SSRF) en Apache StreamPipes durante el proceso de instalaci\u00f3n de elementos de canalizaci\u00f3n. Anteriormente, StreamPipes permit\u00eda a los usuarios configurar endpoints personalizados desde los cuales instalar elementos de canalizaci\u00f3n adicionales. Estos endpoints no se validaron adecuadamente, lo que permiti\u00f3 que un atacante lograra que StreamPipes enviara una solicitud HTTP GET a una direcci\u00f3n arbitraria. Este problema afecta a Apache StreamPipes: hasta 0.93.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 0.95.0, que soluciona el problema."}], "lastModified": "2024-08-01T13:51:19.213", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5EC9EC8-4988-4DAC-A92F-CCDED7F9CB52", "versionEndExcluding": "0.95.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}