CVE-2025-54947
BaseFortify
Publication date: 2025-12-12
Last updated on: 2025-12-15
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | streampark | From 2.0.0 (inc) to 2.1.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache StreamPark versions 2.0.0 through 2.1.7 involves the use of a hard-coded encryption key. Instead of generating or securely configuring encryption keys dynamically, the system uses a fixed, immutable key. Attackers can potentially obtain this key through reverse engineering or code analysis, which allows them to decrypt sensitive data or forge encrypted information.
How can this vulnerability impact me? :
The vulnerability can lead to information disclosure or unauthorized system access because attackers who obtain the hard-coded encryption key can decrypt sensitive data or create forged encrypted information.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Apache StreamPark to version 2.1.7 or later, as this version fixes the hard-coded encryption key vulnerability.