Apache StreamPark 1.0.0 before 2.0.0 When the user successfully logs in, to modify his profile, the username will be passed to the server-layer as a parameter, but not verified whether the user name is the currently logged user and whether the user is legal, This will allow malicious attackers to send any username to modify and reset the account, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later.

Affected Packages

Maven org.apache.streampark:streampark

Affected versions: 1.0.0 (fixed in 2.0.0)

Related CVEs

CVE-2022-46365

Key Information

GHSA ID

GHSA-m5h8-2pjw-vg3j

Published

July 6, 2023 7:24 PM

Last Modified

July 6, 2023 11:08 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.streampark:streampark

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.