Vulnerabilities > CVE-2024-31979 - Server-Side Request Forgery (SSRF) vulnerability in Apache Streampipes

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

apache

CWE-918

NVD

Published: 2024-07-17

Updated: 2024-07-25

Summary

Server-Side Request Forgery (SSRF) vulnerability in Apache StreamPipes during installation process of pipeline elements. Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an attacker to get StreamPipes to send an HTTP GET request to an arbitrary address. This issue affects Apache StreamPipes: through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Streampipes 0.55.1 Apache Streampipes 0.55.2 Apache Streampipes 0.60.0 Apache Streampipes 0.60.1 Apache Streampipes 0.61.0 Apache Streampipes 0.62.0 Apache Streampipes 0.63.0 Apache Streampipes 0.64.0 Apache Streampipes 0.65.0 Apache Streampipes 0.66.0 Apache Streampipes 0.67.0 Apache Streampipes 0.68.0 Apache Streampipes 0.69.0 Apache Streampipes 0.70.0 Apache Streampipes 0.90.0 Apache Streampipes 0.91.0 Apache Streampipes 0.92.0 Apache Streampipes 0.93.0	18

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://lists.apache.org/thread/8lryp3bxnby9kmk13odkz2jbfdjfvf0y