org.apache.streampark:streampark is vulnerable to Improper Input Validation. The vulnerability exists because the resetPassword
function of UserServiceImpl.java
does not properly verify whether the user name is the currently logged in user and whether the user is legal, which allows a malicious attacker to send any username to modify and reset the account.
github.com/apache/incubator-streampark/blob/dev/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/impl/UserServiceImpl.java#L149-L162
github.com/apache/incubator-streampark/commit/4b20ce53ee478a03ef0fd60b726526cef8e7a2cf
lists.apache.org/thread/f68lcwrp8pcdc4yrbpcm8j7m0f5mjn7h