CVE-2025-32896 Information

Jun 20, 2025 cve

Description

Summary

Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1.

Details Unauthorized users can access /hazelcast/rest/maps/submit-job to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack.

This issue affects Apache SeaTunnel: <=2.3.10

Fixed

Users are recommended to upgrade to version 2.3.11 and enable restful api-v2 & open https two-way authentication which fixes the issue.

Reference

http://www.openwall.com/lists/oss-security/2025/04/12/1 https://github.com/apache/seatunnel/pull/9010 https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9

Summary

Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1.

Details Unauthorized users can access /hazelcast/rest/maps/submit-job to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack.

This issue affects Apache SeaTunnel: <=2.3.10

Fixed

Users are recommended to upgrade to version 2.3.11 and enable restful api-v2 & open https two-way authentication

which fixes the issue.

CNNVD-202506-2577 (Published: 2025-06-19)

Share on: