cvelistv5 - cve-2024-34457

CVE-2024-34457 (GCVE-0-2024-34457)

Vulnerability from cvelistv5 – Published: 2024-07-22 09:48 – Updated: 2024-11-04 21:27

Summary

On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone's user flink information, including executeSQL and config. Mitigation: all users should upgrade to 2.1.4

Severity ?

No CVSS data available.

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/brlfrmvw9dcv38zoo…	vendor-advisory
	https://www.openwall.com/lists/oss-security/2024/…

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache StreamPark	Affected: 1.0.0 , < 2.1.4 (semver)

Credits

L0ne1y

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-34457",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-22T17:57:18.100067Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-04T21:27:42.331Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:51:11.536Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/07/22/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache StreamPark",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.1.4",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "L0ne1y"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eOn versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\u003cbr\u003e\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\"background-color: var(--wht);\"\u003eshould upgrade to 2.1.4\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\n\nMitigation:\n\nall users should upgrade to 2.1.4"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-11T11:03:07.865Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2024/07/22/2"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache StreamPark IDOR Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-34457",
    "datePublished": "2024-07-22T09:48:23.130Z",
    "dateReserved": "2024-05-04T01:42:52.214Z",
    "dateUpdated": "2024-11-04T21:27:42.331Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.1.4\", \"matchCriteriaId\": \"43F40411-3380-4B0F-BA0D-18C85BD8C615\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\\n\\nMitigation:\\n\\nall users should upgrade to 2.1.4\"}, {\"lang\": \"es\", \"value\": \"En versiones anteriores a la 2.1.4, despu\\u00e9s de que un usuario normal inicia sesi\\u00f3n con \\u00e9xito, puede realizar una solicitud manualmente utilizando el token de autorizaci\\u00f3n para ver la informaci\\u00f3n de flink de todos los usuarios, incluidos runSQL y config. Mitigaci\\u00f3n: todos los usuarios deben actualizar a 2.1.4\"}]",
      "id": "CVE-2024-34457",
      "lastModified": "2024-11-21T09:18:43.260",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
      "published": "2024-07-22T10:15:03.607",
      "references": "[{\"url\": \"https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2024/07/22/2\", \"source\": \"security@apache.org\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/07/22/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-34457\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-07-22T10:15:03.607\",\"lastModified\":\"2024-11-21T09:18:43.260\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\\n\\nMitigation:\\n\\nall users should upgrade to 2.1.4\"},{\"lang\":\"es\",\"value\":\"En versiones anteriores a la 2.1.4, despu\u00e9s de que un usuario normal inicia sesi\u00f3n con \u00e9xito, puede realizar una solicitud manualmente utilizando el token de autorizaci\u00f3n para ver la informaci\u00f3n de flink de todos los usuarios, incluidos runSQL y config. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.4\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.1.4\",\"matchCriteriaId\":\"43F40411-3380-4B0F-BA0D-18C85BD8C615\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2024/07/22/2\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/07/22/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/07/22/2\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:51:11.536Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34457\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-22T17:57:18.100067Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-22T17:57:21.763Z\"}}], \"cna\": {\"title\": \"Apache StreamPark IDOR Vulnerability\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"L0ne1y\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache StreamPark\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"2.1.4\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2024/07/22/2\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\\n\\nMitigation:\\n\\nall users should upgrade to 2.1.4\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eOn versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\u003cbr\u003e\u003c/div\u003e\u003cbr\u003e\u003cdiv\u003eMitigation:\u003cbr\u003e\u003cbr\u003e\u003c/div\u003eall users \u003cspan style=\\\"background-color: var(--wht);\\\"\u003eshould upgrade to 2.1.4\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-09-11T11:03:07.865Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-34457\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-04T21:27:42.331Z\", \"dateReserved\": \"2024-05-04T01:42:52.214Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-07-22T09:48:23.130Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-34457

Vulnerability from fkie_nvd - Published: 2024-07-22 10:15 - Updated: 2024-11-21 09:18

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@apache.org	https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j	Mailing List, Vendor Advisory
security@apache.org	https://www.openwall.com/lists/oss-security/2024/07/22/2
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2024/07/22/2
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	streampark	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "43F40411-3380-4B0F-BA0D-18C85BD8C615",
              "versionEndExcluding": "2.1.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\n\nMitigation:\n\nall users should upgrade to 2.1.4"
    },
    {
      "lang": "es",
      "value": "En versiones anteriores a la 2.1.4, despu\u00e9s de que un usuario normal inicia sesi\u00f3n con \u00e9xito, puede realizar una solicitud manualmente utilizando el token de autorizaci\u00f3n para ver la informaci\u00f3n de flink de todos los usuarios, incluidos runSQL y config. Mitigaci\u00f3n: todos los usuarios deben actualizar a 2.1.4"
    }
  ],
  "id": "CVE-2024-34457",
  "lastModified": "2024-11-21T09:18:43.260",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-07-22T10:15:03.607",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
    },
    {
      "source": "security@apache.org",
      "url": "https://www.openwall.com/lists/oss-security/2024/07/22/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2024/07/22/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security@apache.org",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

GHSA-J73P-GC9R-3PF8

Vulnerability from github – Published: 2024-07-22 12:30 – Updated: 2024-09-11 12:30

Details

Mitigation:

all users should upgrade to 2.1.4

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-34457"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-22T10:15:03Z",
    "severity": "MODERATE"
  },
  "details": "On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the authorization token to view everyone\u0027s user flink information, including executeSQL and config.\n\nMitigation:\n\nall users should upgrade to 2.1.4\n\n",
  "id": "GHSA-j73p-gc9r-3pf8",
  "modified": "2024-09-11T12:30:51Z",
  "published": "2024-07-22T12:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34457"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2024/07/22/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/07/22/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2024-33809

Vulnerability from cnvd - Published: 2024-07-29

Title

Apache StreamPark权限管理错误漏洞

Description

Apache StreamPark是美国阿帕奇（Apache）基金会的一个流媒体应用程序开发框架。 Apache StreamPark 1.0.0版本至2.1.4之前版本存在权限管理错误漏洞，攻击者可利用该漏洞使用授权令牌手动发出请求，查看每个人的用户flink信息。

Severity

中

Patch Name

Apache StreamPark权限管理错误漏洞的补丁

Patch Description

Apache StreamPark是美国阿帕奇（Apache）基金会的一个流媒体应用程序开发框架。 Apache StreamPark 1.0.0版本至2.1.4之前版本存在权限管理错误漏洞，攻击者可利用该漏洞使用授权令牌手动发出请求，查看每个人的用户flink信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j

Reference

https://cxsecurity.com/cveshow/CVE-2024-34457/

Impacted products

Name
Apache StreamPark >=1.0.0，<2.1.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-34457"
    }
  },
  "description": "Apache StreamPark\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6d41\u5a92\u4f53\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u6846\u67b6\u3002\n\nApache StreamPark 1.0.0\u7248\u672c\u81f32.1.4\u4e4b\u524d\u7248\u672c\u5b58\u5728\u6743\u9650\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u6388\u6743\u4ee4\u724c\u624b\u52a8\u53d1\u51fa\u8bf7\u6c42\uff0c\u67e5\u770b\u6bcf\u4e2a\u4eba\u7684\u7528\u6237flink\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/brlfrmvw9dcv38zoofmhxg7qookmwn7j",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-33809",
  "openTime": "2024-07-29",
  "patchDescription": "Apache StreamPark\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6d41\u5a92\u4f53\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u6846\u67b6\u3002\r\n\r\nApache StreamPark 1.0.0\u7248\u672c\u81f32.1.4\u4e4b\u524d\u7248\u672c\u5b58\u5728\u6743\u9650\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u6388\u6743\u4ee4\u724c\u624b\u52a8\u53d1\u51fa\u8bf7\u6c42\uff0c\u67e5\u770b\u6bcf\u4e2a\u4eba\u7684\u7528\u6237flink\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache StreamPark\u6743\u9650\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache StreamPark \u003e=1.0.0\uff0c\u003c2.1.4"
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2024-34457/",
  "serverity": "\u4e2d",
  "submitTime": "2024-07-24",
  "title": "Apache StreamPark\u6743\u9650\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-34457 (GCVE-0-2024-34457)

FKIE_CVE-2024-34457

GHSA-J73P-GC9R-3PF8

CNVD-2024-33809

Tags

Sightings

Nomenclature