{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T06:46:19.461","vulnerabilities":[{"cve":{"id":"CVE-2025-32896","sourceIdentifier":"security@apache.org","published":"2025-06-19T11:15:24.190","lastModified":"2025-07-08T13:05:21.833","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"# Summary\n\nUnauthorized users can perform Arbitrary File Read and Deserialization\nattack by submit job using restful api-v1.\n\n# Details\nUnauthorized users can access `/hazelcast/rest/maps/submit-job` to submit\njob.\nAn attacker can set extra params in mysql url to perform Arbitrary File\nRead and Deserialization attack.\n\nThis issue affects Apache SeaTunnel: <=2.3.10\n\n# Fixed\n\nUsers are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue."},{"lang":"es","value":"Resumen: Usuarios no autorizados pueden realizar ataques de lectura arbitraria de archivos y deserialización al enviar trabajos con RESTful API-v1. # Detalles: Usuarios no autorizados pueden acceder a `/hazelcast/rest/maps/submit-job` para enviar trabajos. Un atacante puede establecer parámetros adicionales en la URL de MySQL para realizar ataques de lectura arbitraria de archivos y deserialización. Este problema afecta a Apache SeaTunnel: &lt;=2.3.10 # Corregido: Se recomienda a los usuarios actualizar a la versión 2.3.11 y habilitar RESTful API-v2 y la autenticación bidireccional HTTPS abierta, lo que soluciona el problema."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-306"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:seatunnel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.3.1","versionEndExcluding":"2.3.11","matchCriteriaId":"B8B6B47C-99DA-4AB2-B296-569463F6C0D2"}]}]}],"references":[{"url":"https://github.com/apache/seatunnel/pull/9010","source":"security@apache.org","tags":["Issue Tracking","Patch"]},{"url":"https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2025/04/12/1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}}]}