Lucene search

ApacheCVE-2024-29070

HistoryJul 23, 2024 - 9:15 a.m.

CVE-2024-29070

2024-07-2309:15:02

CWE-613

apache

web.nvd.nist.gov

cve-2024-29070

session

invalidation

backend service

authorization

upgrade

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

6.7

Confidence

Low

EPSS

Percentile

9.4%

JSON

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns “Authorization” as the front-end authentication credential. “Authorization” can still initiate requests and access data even after logout.

Mitigation:

all users should upgrade to 2.1.4

Affected configurations

Vulners

Vulnrichment

Node

apachestreamparkRange≤2.1.4

VendorProductVersionCPE
apachestreampark*cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	streampark	*	cpe:2.3:a:apache:streampark::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache StreamPark",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.1.4",
        "status": "affected",
        "version": "1.0.0",
        "versionType": "semver"
      }
    ]
  }
]

References

lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

6.7

Confidence

Low

EPSS

Percentile

9.4%

JSON

Related for CVE-2024-29070