Lucene search

[email protected]NVD:CVE-2024-29070

HistoryJul 23, 2024 - 9:15 a.m.

CVE-2024-29070

2024-07-2309:15:02

CWE-613

[email protected]

web.nvd.nist.gov

insecure session

access after logout

upgrade required

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS

Percentile

9.4%

JSON

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns “Authorization” as the front-end authentication credential. “Authorization” can still initiate requests and access data even after logout.

Mitigation:

all users should upgrade to 2.1.4

References

lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS

Percentile

9.4%

JSON

Related for NVD:CVE-2024-29070

cvelist1 veracode1 cve1 vulnrichment1