Apache Streampark
17 CVEs affecting Apache Streampark. Latest disclosed: 2025-12-12. Critical: 4, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-54947 | Critical | 9.8 | 2025-12-12 | In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the… |
CVE-2022-45802 | Critical | 9.8 | 2023-05-01 | Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high… |
CVE-2024-29070 | Critical | 9.1 | 2024-07-23 | On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the fro… |
CVE-2022-46365 | Critical | 9.1 | 2023-05-01 | Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter… |
CVE-2024-29178 | High | 8.8 | 2024-07-18 | On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must succe… |
CVE-2023-52290 | High | 8.1 | 2024-07-16 | In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the… |
CVE-2024-48988 | High | 7.6 | 2025-08-22 | SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version… |
CVE-2025-54981 | High | 7.5 | 2025-12-12 | Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT t… |
CVE-2025-30001 | High | 7.3 | 2025-10-10 | Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recomme… |
CVE-2023-49898 | High | 7.2 | 2023-12-15 | In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. all… |
CVE-2024-34457 | Medium | 6.5 | 2024-07-22 | On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user fli… |
CVE-2025-53960 | Medium | 5.9 | 2025-12-12 | When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker c… |
CVE-2024-29120 | Medium | 5.9 | 2024-07-17 | In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credentia… |
CVE-2022-45801 | Medium | 5.4 | 2023-05-01 | Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP st… |
CVE-2023-30867 | Medium | 4.9 | 2023-12-15 | In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role nam… |
CVE-2024-29737 | Medium | 4.7 | 2024-07-17 | In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert comma… |
CVE-2023-52291 | Medium | 4.7 | 2024-07-17 | In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert comma… |