oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-32896: Apache SeaTunnel: Unauthenticated insecure access

From: Hailin Wang <wanghailin () apache org>
Date: Sat, 12 Apr 2025 05:56:55 +0000
Severity: moderate

Affected versions:

- Apache SeaTunnel 2.3.1 through 2.3.10

Description:

# Summary

Unauthorized users can perform Arbitrary File Read and Deserialization
attack by submit job using restful api-v1.

# Details
Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit
job.
An attacker can set extra params in mysql url to perform Arbitrary File
Read and Deserialization attack.

This issue affects Apache SeaTunnel: <=2.3.10

# Fixed

Users are recommended to upgrade to version 2.3.11, and 
enable restful api-v2 & open https two-way authentication , which fixes the issue.

 https://github.com/apache/seatunnel/pull/9010

Credit:

Owen Amadeus (reporter)

References:

https://seatunnel.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-32896
Previous By Date Next
Previous By Thread Next

Current thread: