CVE-2023-31453

HIGH7.5EPSS 0.45%

Apache InLong Incorrect Permission Assignment for Critical Resource Vulnerability

Published: 7/6/2023Modified: 2/16/2024

Description

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the owner of the deleted subscription. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7949 to solve it.

Affected packages (2)

Maven/org.apache.inlong:manager-service>= 1.2.0, < 1.7.0
Maven/org.apache.inlong:manager-web>= 1.2.0, < 1.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-31453
PATCHhttps://github.com/apache/inlong
WEBhttps://github.com/apache/inlong/pull/7949
WEBhttps://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06