CVE-2024-29737: Apache StreamPark (incubating): maven build params could trigger remote command execution

[Huajie Wang <benjobs () apache org>]

Severity: low

Affected versions:

- Apache StreamPark (incubating) 2.0.0 before 2.1.4

Description:

In streampark, the project module integrates Maven's compilation capabilities. The input parameter validation is not 
strict, allowing attackers to insert commands for remote command execution, The prerequisite for a successful attack is 
that the user needs to log in to the streampark system and have system-level permissions. Generally, only users of that 
system have the authorization to log in, and users would not manually input a dangerous operation command. Therefore, 
the risk level of this vulnerability is very low.

Mitigation:

all users should upgrade to 2.1.4

Background info:

Log in to Streampark using the default username (e.g. test1, test2, test3) and the default password (streampark). 
Navigate to the Project module, then add a new project. Enter the git repository address of the project and input 
`touch /tmp/success_2.1.2` as the "Build Argument". Note that there is no verification and interception of the special 
character "`". As a result, you will find that this injection command will be successfully executed after executing the 
build.

In the latest version, the special symbol ` is intercepted.

Credit:

L0ne1y (reporter)

References:

https://streampark.incubator.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-29737