Apache StreamPark: Information leakage vulnerability
Description
In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc.
Mitigation:
all users should upgrade to 2.1.4
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache StreamPark versions before 2.1.4 expose an information leakage vulnerability where a logged-in user can obtain other users' credentials via the returned Authorization token.
Vulnerability
Details
CVE-2024-29120 is an information leakage vulnerability in Apache StreamPark versions prior to 2.1.4. After a successful login, the backend service returns an "Authorization" token intended for front-end authentication. However, this token is not properly scoped, allowing a user to request sensitive information about other users, including the administrator's username, password, and salt value [1][3].
Exploitation
An attacker must have a valid user account on the StreamPark instance. Upon logging in, they receive the Authorization token. Using this token, they can make API requests to retrieve other users' details without any additional authentication or authorization checks. The vulnerability is triggered by simply using the token to query user information endpoints [1][3].
Impact
Successful exploitation leads to the disclosure of administrator credentials (username, password, and salt). With these, an attacker can fully compromise the administrator account, gaining unrestricted access to the StreamPark platform and potentially the underlying streaming applications and data [1][3].
Mitigation
The vulnerability is fixed in Apache StreamPark version 2.1.4. All users are advised to upgrade immediately. No workarounds are documented. The issue was reported by L0ne1y [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.streampark:streamparkMaven | >= 2.0.0, < 2.1.4 | 2.1.4 |
Affected products
2- Apache Software Foundation/Apache StreamParkv5Range: 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hcf8-5j78-887vghsaADVISORY
- lists.apache.org/thread/y3oqz7l8vd7jxxx3z2khgl625nvfr60jghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-29120ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/07/17/4ghsaWEB
News mentions
0No linked articles in our index yet.