{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-32896","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2025-04-12T03:02:04.962Z","datePublished":"2025-06-19T10:38:37.159Z","dateUpdated":"2025-06-20T13:53:28.835Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache SeaTunnel","vendor":"Apache Software Foundation","versions":[{"lessThanOrEqual":"2.3.10","status":"affected","version":"2.3.1","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"Owen Amadeus"},{"lang":"en","type":"reporter","value":"liyiwei"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"# Summary<br><br>Unauthorized users can perform Arbitrary File Read and Deserialization<br>attack by submit job using restful api-v1.<br><br># Details<br>Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit<br>job.<br>An attacker can set extra params in mysql url to perform Arbitrary File<br>Read and Deserialization attack.<br><br>This issue affects Apache SeaTunnel: &lt;=2.3.10<br><br># Fixed<br><br>Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 &amp; open https two-way authentication , which fixes the issue."}],"value":"# Summary\n\nUnauthorized users can perform Arbitrary File Read and Deserialization\nattack by submit job using restful api-v1.\n\n# Details\nUnauthorized users can access `/hazelcast/rest/maps/submit-job` to submit\njob.\nAn attacker can set extra params in mysql url to perform Arbitrary File\nRead and Deserialization attack.\n\nThis issue affects Apache SeaTunnel: <=2.3.10\n\n# Fixed\n\nUsers are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue."}],"metrics":[{"other":{"content":{"text":"moderate"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-306","description":"CWE-306 Missing Authentication for Critical Function","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2025-06-19T10:38:37.159Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9"},{"tags":["patch"],"url":"https://github.com/apache/seatunnel/pull/9010"}],"source":{"discovery":"UNKNOWN"},"title":"Apache SeaTunnel: Unauthenticated insecure access","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2025/04/12/1"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-06-19T11:04:11.922Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":6.5,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"LOW","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-06-20T13:50:51.608425Z","id":"CVE-2025-32896","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-20T13:53:28.835Z"}}]}}