Описание
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout.
Mitigation:
all users should upgrade to 2.1.4
Ссылки
- Mailing ListVendor Advisory
- Mailing ListThird Party Advisory
- Mailing ListVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 1.0.0 (включая) до 2.1.4 (исключая)
cpe:2.3:a:apache:streampark:*:*:*:*:*:*:*:*
EPSS
Процентиль: 37%
0.0016
Низкий
9.1 Critical
CVSS3
Дефекты
CWE-613
Связанные уязвимости
CVSS3: 9.1
github
больше 1 года назад
On versions before 2.1.4, session is not invalidated after logout. When the user logged in successfully, the Backend service returns "Authorization" as the front-end authentication credential. "Authorization" can still initiate requests and access data even after logout. Mitigation: all users should upgrade to 2.1.4
EPSS
Процентиль: 37%
0.0016
Низкий
9.1 Critical
CVSS3
Дефекты
CWE-613