In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.
The system, instead of dynamically generating or securely configuring cryptographic keys, uses a fixed, immutable encryption key embedded in the application code (CWE-321, CWE-798). Since the key is identical across all installations, an attacker can extract it through source code analysis or reverse engineering of the compiled software. With the key in hand, the attacker can decrypt data protected by the application or create forged encrypted data that the system will accept as valid.
An attacker can gain access to sensitive data (information disclosure) or perform unauthorized system access by forging encrypted authentication credentials or sessions.
Apache StreamPark should be updated to version 2.1.7, which eliminates the vulnerability by removing the hardcoded encryption key.
Apache StreamPark versions from 2.0.0 to 2.1.4 (before 2.1.7)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Streampark
APPApache2.0.0 – 2.1.7 (bez)
Related vulnerabilities
Apache Streampark: sesja nie jest unieważniana po wylogowaniu
Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username w...
Streampark allows any users to upload a jar as application, but there is no mandatory verification of the uplo...
Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generat...
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache Stream...