CVE-2023-52290
HIGHApache StreamPark 2.0.0-2.1.3 - Authenticated SQL Injection via Sort Field
Title source: llmDescription
In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the SQL query is generated using this field. However, because this sort field isn't validated, there is a risk of SQL injection vulnerability. The attacker must successfully log into the system to launch an attack, which may cause data leakage. Since no data will be written, so this is a low-impact vulnerability. Mitigation: all users should upgrade to 2.1.4, Such parameters will be blocked.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/07/15/4
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/t3mcm8pb65d9gj3wrgtj9sx9s2pfvvl3
Scores
CVSS v3
8.1
EPSS
0.0060
EPSS Percentile
69.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
apache/streampark
2.0.0 - 2.1.4
Published
Jul 16, 2024
Tracked Since
Feb 18, 2026