CVE-2024-29070 - Vulnerability Details - OpenCVE

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Streampark

Configuration 1 [-]

cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/07/22/4
https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl

History

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00216}`	epss `{'score': 0.00322}`

Thu, 10 Jul 2025 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache streampark
CPEs		cpe:2.3:a:apache:streampark::::::::
Vendors & Products		Apache Apache streampark

Fri, 13 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:apache_software_foundation:apache_streampark::::::::
Vendors & Products	Apache Software Foundation Apache Software Foundation apache Streampark
References		http://www.openwall.com/lists/oss-security/2024/07/22/4
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-07-23T08:13:41.408Z

Updated: 2024-09-13T17:04:30.274Z

Reserved: 2024-03-15T03:21:44.446Z

Link: CVE-2024-29070

Vulnrichment

Updated: 2024-09-13T17:04:30.274Z

NVD

Status : Analyzed

Published: 2024-07-23T09:15:02.503

Modified: 2025-07-10T18:24:57.027

Link: CVE-2024-29070

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29070", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-03-15T03:21:44.446Z", "datePublished": "2024-07-23T08:13:41.408Z", "dateUpdated": "2024-09-13T17:04:30.274Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache StreamPark", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.1.4", "status": "affected", "version": "1.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "L0ne1y"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.<br><br><div>Mitigation:<br><br></div>all users <span style=\"background-color: var(--wht);\">should upgrade to 2.1.4</span><br><br><br>"}], "value": "On versions before 2.1.4,\u00a0session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-23T08:13:41.408Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache StreamPark: session not invalidated after logout", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "apache_software_foundation", "product": "apache_streampark", "cpes": ["cpe:2.3:a:apache_software_foundation:apache_streampark:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "1.0.0", "status": "affected", "lessThan": "2.1.4", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T14:42:15.338950Z", "id": "CVE-2024-29070", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T14:47:17.230Z"}}, {"title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/22/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:04:30.274Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/07/22/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-09-13T17:04:30.274Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-29070", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-23T14:42:15.338950Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache_software_foundation:apache_streampark:*:*:*:*:*:*:*:*"], "vendor": "apache_software_foundation", "product": "apache_streampark", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "2.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-23T14:44:37.808Z"}}], "cna": {"title": "Apache StreamPark: session not invalidated after logout", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "L0ne1y"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache StreamPark", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "2.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "On versions before 2.1.4,\u00a0session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\n", "supportingMedia": [{"type": "text/html", "value": "On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.<br><br><div>Mitigation:<br><br></div>all users <span style=\"background-color: var(--wht);\">should upgrade to 2.1.4</span><br><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-23T08:13:41.408Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29070", "state": "PUBLISHED", "dateUpdated": "2024-09-13T17:04:30.274Z", "dateReserved": "2024-03-15T03:21:44.446Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-07-23T08:13:41.408Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE3AEB59-5615-48A9-8425-59FF2644C5F9", "versionEndExcluding": "2.1.4", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "On versions before 2.1.4,\u00a0session is not invalidated after logout. When the user logged in successfully, the Backend service returns \"Authorization\" as the front-end authentication credential. \"Authorization\" can still initiate requests and access data even after logout.\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\n"}, {"lang": "es", "value": "En versiones anteriores a la 2.1.4, la sesi\u00f3n no se invalida despu\u00e9s de cerrar sesi\u00f3n. Cuando el usuario inicia sesi\u00f3n correctamente, el servicio Backend devuelve \"Authorization\" como credencial de autenticaci\u00f3n de front-end. La \"Authorization\" a\u00fan puede iniciar solicitudes y acceder a datos incluso despu\u00e9s de cerrar sesi\u00f3n. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.4"}], "id": "CVE-2024-29070", "lastModified": "2025-07-10T18:24:57.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-23T09:15:02.503", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/07/22/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/zslblrz1l0n9t67mqdv42yv75ncfn9zl"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security@apache.org", "type": "Secondary"}]}