{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-30867","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2023-04-19T10:43:44.618Z","datePublished":"2023-12-15T12:14:02.074Z","dateUpdated":"2024-08-02T14:37:15.494Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache StreamPark (incubating)","vendor":"Apache Software Foundation","versions":[{"lessThan":"2.1.2","status":"affected","version":"2.0.0","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div><span style=\"background-color: var(--wht);\">In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage.</span><div><span style=\"background-color: var(--wht);\"><br></span></div><br><div>Mitigation:</div><div><br></div><span style=\"background-color: rgb(255, 255, 255);\">Users are recommended to upgrade to version 2.1.2, which fixes the issue.</span><br><br></div><br><p></p>"}],"value":"In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage.\n\nMitigation:\n\nUsers are recommended to upgrade to version 2.1.2, which fixes the issue.\n\n"}],"metrics":[{"other":{"content":{"text":"low"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2023-12-15T12:14:02.074Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/bhdzh6hnh04yyf3g203bbyvxryd720o2"}],"source":{"discovery":"UNKNOWN"},"title":"Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerability","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T14:37:15.494Z"},"title":"CVE Program Container","references":[{"tags":["vendor-advisory","x_transferred"],"url":"https://lists.apache.org/thread/bhdzh6hnh04yyf3g203bbyvxryd720o2"}]}]}}