CVE-2024-31979

MEDIUM

Apache StreamPipes <0.95.0 - SSRF

Title source: llm

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y

[Mailing List] http://www.openwall.com/lists/oss-security/2024/07/16/11

Scores

CVSS v3 4.3

EPSS 0.0071

EPSS Percentile 72.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-918

Status published

Affected Products (3)

apache/streampipes < 0.95.0

org.apache.streampipes/streampipes-parent < 0.95.0Maven

pypi/streampipes < 0.95.0PyPI

Timeline

Published Jul 17, 2024

Tracked Since Feb 18, 2026