StreamPark
by Apache
CVEs (5)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-53960 | 0.00 | — | 0.00 | Dec 12, 2025 | When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | |||
| CVE-2025-54947 | 0.00 | — | 0.00 | Dec 12, 2025 | In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | |||
| CVE-2025-54981 | 0.00 | — | 0.00 | Dec 12, 2025 | Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue. | |||
| CVE-2025-30001 | 0.00 | — | 0.00 | Oct 10, 2025 | Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. | |||
| CVE-2024-48988 | 0.00 | — | 0.00 | Aug 22, 2025 | SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts. It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). As a result, the associated risk is considered relatively low. |
- CVE-2025-53960Dec 12, 2025risk 0.00cvss —epss 0.00
When issuing JSON Web Tokens (JWT), Apache StreamPark directly uses the user's password as the HMAC signing key (e.g., with the HS256 algorithm). An attacker can exploit this vulnerability to perform offline brute-force attacks on the user's password using a captured JWT, or to arbitrarily forge identity tokens for the user if the password is already known, ultimately leading to complete account takeover. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.
- CVE-2025-54947Dec 12, 2025risk 0.00cvss —epss 0.00
In Apache StreamPark versions 2.0.0 through 2.1.7, a security vulnerability involving a hard-coded encryption key exists. This vulnerability occurs because the system uses a fixed, immutable key for encryption instead of dynamically generating or securely configuring the key. Attackers may obtain this key through reverse engineering or code analysis, potentially decrypting sensitive data or forging encrypted information, leading to information disclosure or unauthorized system access. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.
- CVE-2025-54981Dec 12, 2025risk 0.00cvss —epss 0.00
Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.
- CVE-2025-30001Oct 10, 2025risk 0.00cvss —epss 0.00
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue.
- CVE-2024-48988Aug 22, 2025risk 0.00cvss —epss 0.00
SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts. It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). As a result, the associated risk is considered relatively low.