CVE-2024-29120
MEDIUM EPSS 20.0%
Published Jul 17, 20241y ago · Modified Jun 17, 20262w ago
5.9 CVSS 3.1
Published Jul 17, 2024 1y ago
Last Modified Jun 17, 2026 2w ago
Description
In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc. Mitigation: all users should upgrade to 2.1.4
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Low
Availability Low
Threat Intelligence
EPSS Exploit Probability
20.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 2
CWE-212
CWE-922
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| apache | streampark | * | ≥2.0.0 – <2.1.4 |
References 2
- openwall.com http://www.openwall.com/lists/oss-security/2024/07/17/4
- lists.apache.org https://lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60j
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.