CVE-2023-31453 — Incorrect Permission Assignment in Software Foundation Apache Inlong

CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 55.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Inlong Apache Inlong

Timeline

PublishedMay 22

Latest updateJul 6

Description

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the owner of the deleted subscription. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_inlong1.2.0 — 1.6.0

▶NVDapache/inlong1.2.0 — 1.6.0

🔴Vulnerability Details

GHSA

Apache InLong Incorrect Permission Assignment for Critical Resource Vulnerability↗2023-07-06

▶

OSV

Apache InLong Incorrect Permission Assignment for Critical Resource Vulnerability↗2023-07-06

▶

CVEList

Apache InLong: IDOR make users can delete others' subscription↗2023-05-22

▶