CVE-2024-31979

MEDIUM

Apache StreamPipes <= 0.93.0 - Server-Side Request Forgery via Pipeline Element Installation Endpoint

Title source: llm

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/16/11

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y

Scores

CVSS v3 4.3

EPSS 0.0095

EPSS Percentile 76.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-918

Status published

Products (3)

apache/streampipes < 0.95.0

org.apache.streampipes/streampipes-parent 0 - 0.95.0Maven

pypi/streampipes 0 - 0.95.0PyPI

Published Jul 17, 2024

Tracked Since Feb 18, 2026