====================================================================

                              CERT-Renater

                   Note d'Information No. 2023/VULN236

_____________________________________________________________________

DATE                : 29/06/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache StreamPipes versions prior
                                         to 0.92.0.

====================================================================
https://lists.apache.org/thread/lq45npw1cxdw47xf2ytrk6l6qr16nof2
_____________________________________________________________________

CVE-2023-31469: Apache StreamPipes: Privilege escalation through 
non-admin user
Severity: important

Affected versions:

- Apache StreamPipes 0.69.0 through 0.91.0


Description:

A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was
not properly restricted to admin-only access. This allowed a
non-admin user with valid login credentials to elevate privileges
beyond the initially assigned roles.

The issue is resolved by upgrading to StreamPipes 0.92.0.


Credit:

Xun Bai, LJQC Open Source Security Institute (finder)


References:

https://streampipes.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-31469



========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
========================================================