Apache StreamPark (incubating): Authenticated system users could trigger SQL injection vulnerability
Description
In the Streampark platform, when users log in to the system and use certain features, some pages provide a name-based fuzzy search, such as job names, role names, etc. The sql syntax :select * from table where jobName like '%jobName%'. However, the jobName field may receive illegal parameters, leading to SQL injection. This could potentially result in information leakage.
Mitigation:
Users are recommended to upgrade to version 2.1.2, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache StreamPark before 2.1.2 has a SQL injection vulnerability in name-based fuzzy search features, leading to potential information leakage.
Vulnerability
Description CVE-2023-30867 is a SQL injection vulnerability in Apache StreamPark, a streaming application development framework. The flaw occurs when users perform name-based fuzzy searches (e.g., for job names or role names) on certain pages. The application constructs SQL queries by directly concatenating user input into LIKE clauses, such as select * from table where jobName like '%jobName%'. The jobName field is not properly sanitized, allowing attackers to inject arbitrary SQL commands [1].
Attack
Vector Exploitation requires an authenticated user to send crafted input to the vulnerable search feature. The attacker must be logged in and have access to the fuzzy search functionality. By inserting SQL meta-characters (e.g., single quotes, UNION statements) into the search term, an attacker can manipulate the query beyond its intended scope. No special network position is required beyond normal access to the platform [1].
Impact
Successful SQL injection can lead to information leakage. An attacker may extract sensitive data from the database, including user credentials, application configurations, or other stored information. The vulnerability does not directly enable remote code execution, but the data exposure can compromise confidentiality and serve as a stepping stone for further attacks [1].
Mitigation
The issue is fixed in Apache StreamPark version 2.1.2. Users are strongly advised to upgrade to this version or later. No workarounds are documented. As of the publication date, there is no evidence of active exploitation in the wild, but patching is recommended to prevent potential data breaches [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.streampark:streamparkMaven | >= 2.0.0, < 2.1.2 | 2.1.2 |
Affected products
2- Apache Software Foundation/Apache StreamPark (incubating)v5Range: 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-rrcg-jwr5-32g7ghsaADVISORY
- lists.apache.org/thread/bhdzh6hnh04yyf3g203bbyvxryd720o2ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-30867ghsaADVISORY
News mentions
0No linked articles in our index yet.