Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NTdwLTdocDUtcHFtcs4AA0c6
Apache InLong Insufficient Session Expiration vulnerability
Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.
An old session can be used by an attacker even after the user has been deleted or the password has been changed.
Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 or https://github.com/apache/inlong/pull/7884 to solve it.
Permalink: https://github.com/advisories/GHSA-757p-7hp5-pqmrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NTdwLTdocDUtcHFtcs4AA0c6
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Percentage: 0.00503
EPSS Percentile: 0.76215
Identifiers: GHSA-757p-7hp5-pqmr, CVE-2023-31065
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-31065
- https://lists.apache.org/thread/to7o0n2cks0omtwo6mhh5cs2vfdbplqf
- https://github.com/apache/inlong/pull/7836
- https://github.com/apache/inlong/pull/7884
- https://github.com/advisories/GHSA-757p-7hp5-pqmr
Blast Radius: 14.1
Affected Packages
maven:org.apache.inlong:manager-service
Dependent packages: 3Dependent repositories: 35
Downloads:
Affected Version Ranges: >= 1.4.0, < 1.7.0
Fixed in: 1.7.0
All affected versions: 1.4.0, 1.5.0, 1.6.0
All unaffected versions: 1.3.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 2.0.0
maven:org.apache.inlong:manager-web
Dependent packages: 1Dependent repositories: 35
Downloads:
Affected Version Ranges: >= 1.4.0, < 1.7.0
Fixed in: 1.7.0
All affected versions: 1.4.0, 1.5.0, 1.6.0
All unaffected versions: 1.3.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 2.0.0
maven:org.apache.inlong:manager-dao
Dependent packages: 2Dependent repositories: 35
Downloads:
Affected Version Ranges: >= 1.4.0, < 1.7.0
Fixed in: 1.7.0
All affected versions: 1.4.0, 1.5.0, 1.6.0
All unaffected versions: 1.3.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 2.0.0
maven:org.apache.inlong:manager-pojo
Dependent packages: 3Dependent repositories: 30
Downloads:
Affected Version Ranges: >= 1.4.0, < 1.7.0
Fixed in: 1.7.0
All affected versions: 1.4.0, 1.5.0, 1.6.0
All unaffected versions: 1.3.0, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 2.0.0