oss-security - CVE-2024-31411: Apache StreamPipes: Potential remote code execution (RCE) via file upload

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <3dcd4d1f-03c4-0bc8-bf24-b24352ab1afd@apache.org>
Date: Tue, 16 Jul 2024 19:01:26 +0000
From: Dominik Riemer <riemer@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-31411: Apache StreamPipes: Potential remote code
 execution (RCE) via file upload 

Severity: moderate

Affected versions:

- Apache StreamPipes through 0.93.0

Description:

Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes.
Such a dangerous type might be an executable file that may lead to a remote code execution (RCE).
The unrestricted upload is only possible for authenticated and authorized users.
This issue affects Apache StreamPipes: through 0.93.0.

Users are recommended to upgrade to version 0.95.0, which fixes the issue.

Credit:

L0ne1y (finder)

References:

https://streampipes.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-31411

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.