CVE-2024-29737: 
Java vulnerability analysis and mitigation

Apache StreamPark (incubating) versions 2.0.0 before 2.1.4 contain a command injection vulnerability in the project module's Maven compilation capabilities. The vulnerability is tracked as CVE-2024-29737 and was disclosed on July 17, 2024. The issue affects the build parameter validation in StreamPark's project module (OSS Security).

The vulnerability stems from insufficient input validation of build parameters in the project module. Specifically, the system fails to properly validate and intercept special characters like the backtick (`) in build arguments. When a malicious build argument containing these special characters is provided, it can lead to command injection and subsequent execution during the build process (CVE Details).

The vulnerability allows authenticated users with system-level permissions to execute arbitrary commands on the system through the Maven build parameters. However, the impact is considered low since it requires both valid authentication and system-level access permissions to exploit (OSS Security).

The vulnerability has been fixed in Apache StreamPark version 2.1.4 by implementing proper validation and interception of special characters like the backtick symbol in build arguments. Users are strongly recommended to upgrade to version 2.1.4 or later to address this security issue (OSS Security).