CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-29178: Apache StreamPark: FreeMarker SSTI RCE Vulnerability

Description

On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability.

Mitigation:

all users should upgrade to 2.1.4

Classification

CVE ID: CVE-2024-29178

Affected Products

Vendor: Apache Software Foundation

Product: Apache StreamPark

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.16% (probability of being exploited)

EPSS Percentile: 53.27% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn
http://www.openwall.com/lists/oss-security/2024/07/18/1

Timeline

2025-02-14 00:31:50 UTC
CVE

Apache StreamPark: FreeMarker SSTI RCE Vulnerability