Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04cmpoLTNtaG0tOTY2cc4AA0c8
Apache InLong Incorrect Permission Assignment for Critical Resource Vulnerability
Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the owner
of the deleted subscription. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7949 to solve it.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04cmpoLTNtaG0tOTY2cc4AA0c8
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Percentage: 0.00231
EPSS Percentile: 0.60767
Identifiers: GHSA-8rjh-3mhm-966q, CVE-2023-31453
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-31453
- https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06
- https://github.com/apache/inlong/pull/7949
- https://github.com/advisories/GHSA-8rjh-3mhm-966q
Blast Radius: 11.6
Affected Packages
maven:org.apache.inlong:manager-web
Dependent packages: 1Dependent repositories: 35
Downloads:
Affected Version Ranges: >= 1.2.0, < 1.7.0
Fixed in: 1.7.0
All affected versions: 1.3.0, 1.4.0, 1.5.0, 1.6.0
All unaffected versions: 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 2.0.0
maven:org.apache.inlong:manager-service
Dependent packages: 3Dependent repositories: 35
Downloads:
Affected Version Ranges: >= 1.2.0, < 1.7.0
Fixed in: 1.7.0
All affected versions: 1.3.0, 1.4.0, 1.5.0, 1.6.0
All unaffected versions: 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.12.0, 1.13.0, 2.0.0