CVE-2024-29070

CWE-613Insufficient Session Expiration3 documents3 sources
Severity
9.1CRITICAL
EPSS
0.2%
top 63.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache StreamparkApache Streampark
Timeline
PublishedJul 23

Description

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

NVDapache/streampark1.0.02.1.4

🔴Vulnerability Details

2
CVEList
Apache StreamPark: session not invalidated after logout2024-07-23
GHSA
GHSA-fprx-3cv4-96vc: On versions before 22024-07-23
CVE-2024-29070 (CRITICAL CVSS 9.1) | On versions before 2.1.4 | cvebase.io