Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN909
_____________________________________________________________________

DATE                : 30/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache StreamPipes versions
                               prior to 0.98.0.

=====================================================================
https://lists.apache.org/thread/hpwwolwjjlnbj1zy0x066mvwlglfjl19
_____________________________________________________________________

CVE-2025-47411: Apache StreamPipes: Leverage of User ID for Privilege
Escalation

Severity: important 

Affected versions:

- Apache StreamPipes 0.69.0 through 0.97.0

Description:

A user with a legitimate non-administrator account can exploit a
vulnerability in the user ID creation mechanism in Apache StreamPipes
that allows them to swap the username of an existing user with that
of an administrator. 

This vulnerability allows an attacker to gain administrative control
over the application by manipulating JWT tokens, which can lead to data
tampering, unauthorized access and other security issues.


This issue affects Apache StreamPipes: through 0.97.0.

Users are recommended to upgrade to version 0.98.0, which fixes the
issue.

Credit:

darren.xuan@mantelgroup.com.au (finder)

References:

https://streampipes.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-47411

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================