GSD-2022-45801

Vulnerability from gsd - Updated: 2023-12-13 01:19
Details
Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. This risk may only occur when the user logs in with ldap, and the user name and password login will not be affected, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.
Aliases
Aliases
CVE-2022-45801
To clipboard 

{
  "GSD": {
    "alias": "CVE-2022-45801",
    "id": "GSD-2022-45801"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-45801"
      ],
      "details": "Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.\nLDAP Injection is an attack used to exploit web based applications\nthat construct LDAP statements based on user input. When an\napplication fails to properly sanitize user input, it\u0027s possible to\nmodify LDAP statements through techniques similar to SQL Injection.\nLDAP injection attacks could result in the granting of permissions to\nunauthorized queries, and content modification inside the LDAP tree.\nThis risk may only occur when the user logs in with ldap, and the user\nname and password login will not be affected, Users of the affected\nversions should upgrade to Apache StreamPark 2.0.0 or later.\n\n\n\n\n\n\n",
      "id": "GSD-2022-45801",
      "modified": "2023-12-13T01:19:24.304580Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2022-45801",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache StreamPark (incubating)",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "1.0.0",
                          "version_value": "2.0.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.\nLDAP Injection is an attack used to exploit web based applications\nthat construct LDAP statements based on user input. When an\napplication fails to properly sanitize user input, it\u0027s possible to\nmodify LDAP statements through techniques similar to SQL Injection.\nLDAP injection attacks could result in the granting of permissions to\nunauthorized queries, and content modification inside the LDAP tree.\nThis risk may only occur when the user logs in with ldap, and the user\nname and password login will not be affected, Users of the affected\nversions should upgrade to Apache StreamPark 2.0.0 or later.\n\n\n\n\n\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-74",
                "lang": "eng",
                "value": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[1.0.0,2.0.0)",
          "affected_versions": "All versions starting from 1.0.0 before 2.0.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-74",
            "CWE-937"
          ],
          "date": "2023-05-01",
          "description": "Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.\nLDAP Injection is an attack used to exploit web based applications\nthat construct LDAP statements based on user input. When an\napplication fails to properly sanitize user input, it\u0027s possible to\nmodify LDAP statements through techniques similar to SQL Injection.\nLDAP injection attacks could result in the granting of permissions to\nunauthorized queries, and content modification inside the LDAP tree.\nThis risk may only occur when the user logs in with ldap, and the user\nname and password login will not be affected, Users of the affected\nversions should upgrade to Apache StreamPark 2.0.0 or later.\n\n\n\n\n\n\n",
          "fixed_versions": [
            "2.0.0"
          ],
          "identifier": "CVE-2022-45801",
          "identifiers": [
            "GHSA-pjfj-qvqw-3f6v",
            "CVE-2022-45801"
          ],
          "not_impacted": "All versions before 1.0.0, all versions starting from 2.0.0",
          "package_slug": "maven/org.apache.streampark/streampark",
          "pubdate": "2023-05-01",
          "solution": "Upgrade to version 2.0.0 or above.",
          "title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-45801",
            "https://lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9",
            "https://github.com/advisories/GHSA-pjfj-qvqw-3f6v"
          ],
          "uuid": "011c59b5-45b4-4540-9b8f-dcfddb061dd1"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.0.0",
                "versionStartIncluding": "1.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-45801"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability.\nLDAP Injection is an attack used to exploit web based applications\nthat construct LDAP statements based on user input. When an\napplication fails to properly sanitize user input, it\u0027s possible to\nmodify LDAP statements through techniques similar to SQL Injection.\nLDAP injection attacks could result in the granting of permissions to\nunauthorized queries, and content modification inside the LDAP tree.\nThis risk may only occur when the user logs in with ldap, and the user\nname and password login will not be affected, Users of the affected\nversions should upgrade to Apache StreamPark 2.0.0 or later.\n\n\n\n\n\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-74"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9",
              "refsource": "MISC",
              "tags": [
                "Mailing List"
              ],
              "url": "https://lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2023-05-09T18:09Z",
      "publishedDate": "2023-05-01T15:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.