CVE-2023-30867 Information

Description

In the Streampark platform when users log in to the system and use certain features some pages provide a name-based fuzzy search such as job names role names etc. The sql syntax :select from table where jobName like ‘%jobName%’. However the jobName field may receive illegal parameters leading to SQL injection. This could potentially result in information leakage.

Mitigation:

Users are recommended to upgrade to version 2.1.2 which fixes the issue.

Reference

https://lists.apache.org/thread/bhdzh6hnh04yyf3g203bbyvxryd720o2