CVE-2024-29178

{"id": "CVE-2024-29178", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-07-18T12:15:02.960", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/07/18/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/18/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server,\u00a0The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.\n\nMitigation:\n\nall users should upgrade to 2.1.4"}, {"lang": "es", "value": "En versiones anteriores a la 2.1.4, un usuario pod\u00eda iniciar sesi\u00f3n y realizar un ataque de inyecci\u00f3n de plantilla que generaba una ejecuci\u00f3n remota de c\u00f3digo en el servidor. El atacante deb\u00eda iniciar sesi\u00f3n correctamente en el sistema para lanzar un ataque, por lo que se trata de una vulnerabilidad de impacto moderado. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.4"}], "lastModified": "2025-02-13T18:17:50.040", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "43F40411-3380-4B0F-BA0D-18C85BD8C615", "versionEndExcluding": "2.1.4"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}