CVE-2024-31979

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-31979

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

S

erver-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

References
Link Resource
https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/07/16/11
https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*
History

21 Nov 2024, 09:14

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/07/16/11 -
References () https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y - Mailing List, Vendor Advisory () https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y - Mailing List, Vendor Advisory

01 Aug 2024, 13:51

Type Values Removed Values Added
CPE cpe:2.3:a:apache:streampipes:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.3
References () https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y - () https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y - Mailing List, Vendor Advisory
First Time Apache streampipes
Apache
Summary
  • (es) Vulnerabilidad de Server-Side Request Forgery (SSRF) en Apache StreamPipes durante el proceso de instalación de elementos de canalización. Anteriormente, StreamPipes permitía a los usuarios configurar endpoints personalizados desde los cuales instalar elementos de canalización adicionales. Estos endpoints no se validaron adecuadamente, lo que permitió que un atacante lograra que StreamPipes enviara una solicitud HTTP GET a una dirección arbitraria. Este problema afecta a Apache StreamPipes: hasta 0.93.0. Se recomienda a los usuarios actualizar a la versión 0.95.0, que soluciona el problema.

17 Jul 2024, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-17 09:15

Updated : 2024-11-21 09:14

NVD link : CVE-2024-31979

Mitre link : CVE-2024-31979

CVE.ORG link : CVE-2024-31979

JSON object : View

Products Affected

apache

CWE
CWE-918

Server-Side Request Forgery (SSRF)