CVE-2024-29120: 
Java vulnerability analysis and mitigation

CVE-2024-29120 affects Apache StreamPark versions prior to 2.1.4. The vulnerability was discovered and disclosed on July 17, 2024, impacting the authentication mechanism of StreamPark's backend service. When a user successfully logs in, the backend service returns an 'Authorization' credential that can be exploited to access other users' sensitive information (OSS Security).

The vulnerability stems from an improper implementation of authentication controls in StreamPark's backend service. After successful login, the service returns an 'Authorization' token that can be manipulated to access unauthorized user information, including administrator credentials and salt values. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. It is classified under CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) and CWE-922 (Insecure Storage of Sensitive Information) (NVD).

The vulnerability allows authenticated users to access sensitive information of other users, including administrator credentials, usernames, passwords, and salt values. This information disclosure could potentially lead to unauthorized access and privilege escalation within the StreamPark system (OSS Security).

The recommended mitigation is to upgrade to StreamPark version 2.1.4 or later, which contains the fix for this vulnerability. No alternative workarounds have been provided (OSS Security).