CVE-2022-45802: Apache StreamPark Path Traversal vulnerability

July 6, 2023 (updated October 21, 2024)

Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type. This means users may upload some high-risk files, and may upload them to any directory. Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

References

github.com/advisories/GHSA-6874-289g-f7h7
github.com/apache/incubator-streampark
github.com/apache/incubator-streampark/commit/0c87c6d8cf39ef2c31c1dea1a7df23d76f5e1236
lists.apache.org/thread/thwl1v2h6r3c21x1qwff08o57qzjnst6
nvd.nist.gov/vuln/detail/CVE-2022-45802

Detect and mitigate CVE-2022-45802 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →