CVE-2023-49898

Name of the Vulnerable Software and Affected Versions streampark versions prior to 2.1.2

Description The issue is related to the project module in streampark that integrates Maven's compilation capability. There is no check on the compilation parameters of Maven, allowing attackers to insert commands for remote command execution. The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this issue is very low.

Recommendations All users should upgrade to 2.1.2 to mitigate the risk. As a temporary workaround, consider restricting access to the Maven compilation parameters to minimize the risk of exploitation. Avoid using the settings.xml file in the /usr/share/java/maven-3/conf/ directory with untrusted input until the issue is resolved.