Severity: moderate
Affected versions:
- Apache StreamPark 1.0.0 before 2.1.4
Description:
On versions before 2.1.4, after a regular user successfully logs in, they can manually make a request using the
authorization token to view everyone's user flink information, including executeSQL and config.
Mitigation:
all users should upgrade to 2.1.4
Credit:
L0ne1y (reporter)
References:
https://streampark.incubator.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-34457