In Streampark (version < 2.1.4), when a user logged in successfully, the Backend service would return "Authorization" as the front-end authentication credential. User can use this credential to request other users' information, including the administrator's username, password, salt value, etc.
Mitigation:
all users should upgrade to 2.1.4
{ "nvd_published_at": "2024-07-17T15:15:14Z", "cwe_ids": [ "CWE-212", "CWE-922" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-11-14T22:46:02Z" }