CRITICAL🇵🇱 Wersja polska

CVE-2025-54947

CVSS 9.8v3.1pub. 2025-12-12upd. 2025-12-15

In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.

🤖 AI Analysis
How it works

The system, instead of dynamically generating or securely configuring cryptographic keys, uses a fixed, immutable encryption key embedded in the application code (CWE-321, CWE-798). Since the key is identical across all installations, an attacker can extract it through source code analysis or reverse engineering of the compiled software. With the key in hand, the attacker can decrypt data protected by the application or create forged encrypted data that the system will accept as valid.

Impact

An attacker can gain access to sensitive data (information disclosure) or perform unauthorized system access by forging encrypted authentication credentials or sessions.

Mitigation & patch

Apache StreamPark should be updated to version 2.1.7, which eliminates the vulnerability by removing the hardcoded encryption key.

Who is affected

Apache StreamPark versions from 2.0.0 to 2.1.4 (before 2.1.7)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Streampark

    APP
    Apache
    2.0.0 – 2.1.7 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-29070CRITICAL9.1PL ✓ten sam produkt

Apache Streampark: sesja nie jest unieważniana po wylogowaniu

CVE-2022-46365CRITICAL9.1ten sam produkt

Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username w...

CVE-2022-45802CRITICAL9.8ten sam produkt

Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uplo...

CVE-2025-54981HIGH7.5ten sam produkt

Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generat...

CVE-2025-30001HIGH7.3ten sam produkt

Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache Stream...