CVE-2024-29070

CVE-2024-29070: Apache StreamPark: session not invalidated after logout

Vendor Apache Software Foundation

Product Apache StreamPark

Weakness CWE-613 · Insufficient session expiration

Published July 23, 2024

Last update September 13, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4

Key dates

Disclosure timeline

July 23, 2024 CVE published

September 13, 2024 Record updated