CVE-2023-30867

Name of the Vulnerable Software and Affected Versions Streampark versions prior to 2.1.2

Description The issue arises in the Streampark platform when users log in and utilize certain features, specifically those providing name-based fuzzy search functionality for items like job names and role names. The SQL syntax used is select * from table where jobName like '%jobName%'. However, the jobName field is susceptible to receiving illegal parameters, which can lead to SQL injection and potentially result in information leakage.

Recommendations For versions prior to 2.1.2, users are recommended to upgrade to version 2.1.2, which fixes the issue. As a temporary workaround, consider restricting the use of the fuzzy search feature until the upgrade is applied. Additionally, users should avoid using the jobName field in the affected SQL syntax until the issue is resolved.