Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uploaded file type, causing users to upload some high-risk files, and may upload them to any directory, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "1.0.0"
},
{
"fixed": "2.0.0"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/45xxx/CVE-2022-45802.json",
"cna_assigner": "apache",
"cwe_ids": [
"CWE-434"
]
}{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0"
}
]
}"2026-07-09T05:41:22Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-45802.json"
[
{
"id": "CVE-2022-45802-56c2a45c",
"digest": {
"line_hashes": [
"71656344722943312801849449711893507401",
"64659150857662134098151502217020028558",
"262492611120373913243113230441025832054",
"202110951636850579304562443264749786966"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/apache/streampark/commit/6788ebae61d2f6d5122572229ce0a3a2555cc46d",
"deprecated": false,
"target": {
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/config/SwaggerConfig.java"
}
},
{
"id": "CVE-2022-45802-ef6ff3ca",
"digest": {
"function_hash": "321823652206749881358323027347823640346",
"length": 327.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/apache/streampark/commit/6788ebae61d2f6d5122572229ce0a3a2555cc46d",
"deprecated": false,
"target": {
"function": "apiInfo",
"file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/config/SwaggerConfig.java"
}
}
]