Apache StreamPark (incubating): LDAP Injection Vulnerability
Description
Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. This risk may only occur when the user logs in with ldap, and the user name and password login will not be affected, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache StreamPark 1.0.0 to 2.0.0 contains an LDAP injection vulnerability that could allow unauthorized query permissions and LDAP tree modification.
Vulnerability
Apache StreamPark versions 1.0.0 through 2.0.0 are susceptible to LDAP injection when constructing LDAP statements from user input without proper sanitization [1]. This flaw occurs specifically during LDAP-based login, where user-supplied data is incorporated into LDAP queries, enabling attackers to manipulate the query structure.
Exploitation
An attacker can exploit this vulnerability by crafting malicious input during the LDAP authentication process [1]. The attack requires the application to be configured with LDAP authentication; username/password login is not affected [1]. Successful injection may allow an attacker to execute arbitrary LDAP statements, potentially bypassing authentication or authorization controls.
Impact
If exploited, LDAP injection could result in granting unauthorized permissions or modifying content within the LDAP directory tree [1]. This could lead to privilege escalation or unauthorized access to sensitive resources managed via LDAP.
Mitigation
Users should upgrade to Apache StreamPark 2.0.0 or later, which contains the fix [1]. No workarounds have been published beyond upgrading.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.streampark:streamparkMaven | >= 1.0.0, < 2.0.0 | 2.0.0 |
Affected products
2- Apache Software Foundation/Apache StreamPark (incubating)v5Range: 1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-pjfj-qvqw-3f6vghsaADVISORY
- lists.apache.org/thread/xbkwwpkp3n2rs2wcxg8l26mhsftxwwr9ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-45801ghsaADVISORY
News mentions
0No linked articles in our index yet.