Description

# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

INFO

Published Date :

2025-06-19T10:38:37.159Z

Last Modified :

2025-06-20T13:53:28.835Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2025-32896 vulnerability.

Vendors Products
Apache
  • Seatunnel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-32896.

URL Resource
http://www.openwall.com/lists/oss-security/2025/04/12/1 cve-icon
https://github.com/apache/seatunnel/pull/9010 cve-icon cve-icon
https://lists.apache.org/thread/qvh3zyt1jr25rgvw955rb8qjrnbxfro9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact