CVE-2022-46365

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-46365

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46365.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-46365

Aliases

GHSA-m5h8-2pjw-vg3j

Published

2023-05-01T15:15:09.013Z

Modified

2025-11-20T12:11:22.537878Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

References

https://lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h

Affected packages

Git / github.com/apache/incubator-streampark

Affected ranges

Type: GIT
Repo: https://github.com/apache/incubator-streampark
Events: Introduced

46037f303e19903048f8de1d4edc636fae8e206b

Fixed

6788ebae61d2f6d5122572229ce0a3a2555cc46d

Affected versions

V1.*

V1.1.1

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.1-beta.1

v1.2.2

v1.2.3

v2.*

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.0-rc4

v2.0.0-rc5

v2.0.0-rc6

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "71656344722943312801849449711893507401",
                "64659150857662134098151502217020028558",
                "262492611120373913243113230441025832054",
                "202110951636850579304562443264749786966"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://github.com/apache/incubator-streampark/commit/6788ebae61d2f6d5122572229ce0a3a2555cc46d",
        "target": {
            "file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/config/SwaggerConfig.java"
        },
        "id": "CVE-2022-46365-e3629dbf"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 327.0,
            "function_hash": "321823652206749881358323027347823640346"
        },
        "signature_version": "v1",
        "source": "https://github.com/apache/incubator-streampark/commit/6788ebae61d2f6d5122572229ce0a3a2555cc46d",
        "target": {
            "file": "streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/base/config/SwaggerConfig.java",
            "function": "apiInfo"
        },
        "id": "CVE-2022-46365-e82dde0d"
    }
]