oss-security - CVE-2025-32896: Apache SeaTunnel: Unauthenticated insecure access

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <d4fabfcd-4996-20b3-0d7a-37cefce89433@apache.org>
Date: Sat, 12 Apr 2025 05:56:55 +0000
From: Hailin Wang <wanghailin@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-32896: Apache SeaTunnel: Unauthenticated insecure access 

Severity: moderate

Affected versions:

- Apache SeaTunnel 2.3.1 through 2.3.10

Description:

# Summary

Unauthorized users can perform Arbitrary File Read and Deserialization
attack by submit job using restful api-v1.

# Details
Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit
job.
An attacker can set extra params in mysql url to perform Arbitrary File
Read and Deserialization attack.

This issue affects Apache SeaTunnel: <=2.3.10

# Fixed

Users are recommended to upgrade to version 2.3.11, and 
enable restful api-v2 & open https two-way authentication , which fixes the issue.

 https://github.com/apache/seatunnel/pull/9010

Credit:

Owen Amadeus (reporter)

References:

https://seatunnel.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-32896

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.