Apache StreamPark Encryption Key Weakness

MEDIUM (5.9) No Patch (1 days)
apachecwe-1240encryption-key-weaknessjavastreampark

Threat Intelligence

Low Risk
EPSS Score: 0.01% chance of exploitation (percentile: 1%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Apache StreamPark is a Java-based encryption tool used to secure sensitive data. However, the vulnerability in question arises from the use of weakly generated or fixed encryption keys that can be obtained through reverse engineering, code leaks, or password guessing, allowing attackers to decrypt stored or transmitted encrypted data.

Am I affected?

Affected versions: 2.1.7

Affected Packages

maven: org.apache.streampark:streampark-core

Affected Products

Apache Software Foundation / StreamPark

How to fix

Upgrade to version 2.1.7, which fixes the issue.
Maven: Update your pom.xml dependency version
Immediate mitigations:
- Restrict network access to your StreamPark instance (firewall it from the public internet)
- Monitor for unauthorized key generation

References