GHSA-prv5-c2px-j9q3

Suggest an improvement
Source
https://github.com/advisories/GHSA-prv5-c2px-j9q3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-prv5-c2px-j9q3/GHSA-prv5-c2px-j9q3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-prv5-c2px-j9q3
Aliases
Published
2025-12-12T15:30:41Z
Modified
2025-12-17T00:44:39.484010Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Apache StreamPark has a hard-coded encryption key
Details

In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access.

This issue affects Apache StreamPark: from 2.0.0 before 2.1.7.

Users are recommended to upgrade to version 2.1.7, which fixes the issue.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-321",
        "CWE-798"
    ],
    "nvd_published_at": "2025-12-12T15:15:53Z",
    "github_reviewed_at": "2025-12-12T19:22:52Z",
    "severity": "HIGH"
}
References

Affected packages

Maven / org.apache.streampark:streampark

Package

Name
org.apache.streampark:streampark
View open source insights on deps.dev
Purl
pkg:maven/org.apache.streampark/streampark

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.1.7

Affected versions

2.*
2.0.0
2.1.0
2.1.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-prv5-c2px-j9q3/GHSA-prv5-c2px-j9q3.json"