CVE-2025-53960
MEDIUM5.9EPSS 0.06%Apache StreamPark: Use the user’s password as the secret key Vulnerability
發布日:2025/12/12修改日:2025/12/20
描述
When encrypting sensitive data, weak encryption keys that are fixed or directly generated based on user passwords are used. Attackers can obtain these keys through methods such as reverse engineering, code leaks, or password guessing, thereby decrypting stored or transmitted encrypted data, leading to the leakage of sensitive information. This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are recommended to upgrade to version 2.1.7, which fixes the issue.
受影響套件(1)
- Maven/org.apache.streampark:streampark>= 2.0.0, < 2.1.7
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53960
- PATCHhttps://github.com/apache/streampark
- WEBhttps://github.com/apache/streampark/commit/39034db0c806168afa82e58e4f376e1e3c3b73e4
- WEBhttps://lists.apache.org/thread/xlpvfzf5l5m5mfyjwrz5h4dssm3c32vy
- WEBhttp://www.openwall.com/lists/oss-security/2025/12/04/1