CVE-2024-34457

CWE-639 — Insecure Direct Object Reference CWE-269 — Improper Privilege Management3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 57.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Streampark Apache Streampark

Timeline

PublishedJul 22

Description

On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/streampark< 2.1.4

▶CVEListV5apache_software_foundation/apache_streampark1.0.0 — 2.1.4

🔴Vulnerability Details

CVEList

Apache StreamPark IDOR Vulnerability↗2024-07-22

▶

GHSA

GHSA-j73p-gc9r-3pf8: On versions before 2↗2024-07-22

▶