cvelistv5 - cve-2023-31453

CVE-2023-31453 (GCVE-0-2023-31453)

Vulnerability from cvelistv5

Published

2023-05-22 13:25

Modified

2024-10-11 13:46

Severity ?

CWE

CWE-732 - Incorrect Permission Assignment for Critical Resource

Summary

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the owner of the deleted subscription. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949

References

▼	URL	Tags
	security@apache.org	https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06	Mailing List, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache InLong	Version: 1.2.0 ≤ 1.6.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:53:31.072Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "inlong",
            "vendor": "apache",
            "versions": [
              {
                "lessThanOrEqual": "1.6.0",
                "status": "affected",
                "version": "1.2.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-31453",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-11T13:45:51.359098Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-11T13:46:50.433Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache InLong",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.6.0",
              "status": "affected",
              "version": "1.2.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.\u003cp\u003eThis issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eattacker can delete others\u0027 subscriptions, even if they are not the owner\nof the deleted subscription\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e.\u0026nbsp;\u003c/span\u003eUsers are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\u003c/p\u003e\u003cp\u003e[1] \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/7949\"\u003e\n\n\u003c/a\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/7949\"\u003ehttps://github.com/apache/inlong/pull/7949\u003c/a\u003e\n\n\u003c/p\u003e\n\n\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u00a0attacker can delete others\u0027 subscriptions, even if they are not the owner\nof the deleted subscription.\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\n\n[1] \n\n https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949 \n\n\n\n\n\n\n\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-22T13:25:47.820Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache InLong: IDOR make users can delete others\u0027 subscription",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-31453",
    "datePublished": "2023-05-22T13:25:47.820Z",
    "dateReserved": "2023-04-28T09:51:46.162Z",
    "dateUpdated": "2024-10-11T13:46:50.433Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-31453\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2023-05-22T14:15:09.643\",\"lastModified\":\"2024-11-21T08:01:53.757\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u00a0attacker can delete others\u0027 subscriptions, even if they are not the owner\\nof the deleted subscription.\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\\n\\n[1] \\n\\n https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949 \\n\\n\\n\\n\\n\\n\\n\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-732\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.2.0\",\"versionEndIncluding\":\"1.6.0\",\"matchCriteriaId\":\"F5885ADE-6494-4EB2-BCCA-27499935E80C\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"product\": \"Apache InLong\", \"vendor\": \"Apache Software Foundation\", \"versions\": [{\"lessThanOrEqual\": \"1.6.0\", \"status\": \"affected\", \"version\": \"1.2.0\", \"versionType\": \"semver\"}]}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.\u003cp\u003eThis issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eattacker can delete others\u0027 subscriptions, even if they are not the owner\\nof the deleted subscription\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e.\u0026nbsp;\u003c/span\u003eUsers are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\u003c/p\u003e\u003cp\u003e[1] \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://github.com/apache/inlong/pull/7949\\\"\u003e\\n\\n\u003c/a\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://github.com/apache/inlong/pull/7949\\\"\u003ehttps://github.com/apache/inlong/pull/7949\u003c/a\u003e\\n\\n\u003c/p\u003e\\n\\n\u003cp\u003e\u003c/p\u003e\"}], \"value\": \"Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The\\u00a0attacker can delete others\u0027 subscriptions, even if they are not the owner\\nof the deleted subscription.\\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\\n\\n[1] \\n\\n https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949 \\n\\n\\n\\n\\n\\n\\n\\n\"}], \"metrics\": [{\"other\": {\"content\": {\"text\": \"important\"}, \"type\": \"Textual description of severity\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-732\", \"description\": \"CWE-732 Incorrect Permission Assignment for Critical Resource\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2023-05-22T13:25:47.820Z\"}, \"references\": [{\"tags\": [\"vendor-advisory\"], \"url\": \"https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"title\": \"Apache InLong: IDOR make users can delete others\u0027 subscription\", \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T14:53:31.072Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"vendor-advisory\", \"x_transferred\"], \"url\": \"https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-31453\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-11T13:45:51.359098Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*\"], \"vendor\": \"apache\", \"product\": \"inlong\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.2.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.6.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-11T13:46:44.372Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-31453\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"apache\", \"dateReserved\": \"2023-04-28T09:51:46.162Z\", \"datePublished\": \"2023-05-22T13:25:47.820Z\", \"dateUpdated\": \"2024-10-11T13:46:50.433Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

cnvd-2023-42967

Vulnerability from cnvd

Title: Apache InLong授权问题漏洞

Description:

Apache InLong是美国阿帕奇（Apache）基金会的一站式的海量数据集成框架。

Apache InLong 1.2.0版本至1.6.0版本存在授权问题漏洞。该漏洞源于权限管理不当。攻击者可利用该漏洞删除任意订阅。

Severity: 高

Patch Name: Apache InLong授权问题漏洞的补丁

Patch Description:

Apache InLong是美国阿帕奇（Apache）基金会的一站式的海量数据集成框架。

Apache InLong 1.2.0版本至1.6.0版本存在授权问题漏洞。该漏洞源于权限管理不当。攻击者可利用该漏洞删除任意订阅。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06

Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-31453

Impacted products

Name
Apache InLong >=1.2.0，<=1.6.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-31453",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-31453"
    }
  },
  "description": "Apache InLong\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u7ad9\u5f0f\u7684\u6d77\u91cf\u6570\u636e\u96c6\u6210\u6846\u67b6\u3002\n\nApache InLong 1.2.0\u7248\u672c\u81f31.6.0\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6743\u9650\u7ba1\u7406\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5220\u9664\u4efb\u610f\u8ba2\u9605\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-42967",
  "openTime": "2023-06-01",
  "patchDescription": "Apache InLong\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u7ad9\u5f0f\u7684\u6d77\u91cf\u6570\u636e\u96c6\u6210\u6846\u67b6\u3002\r\n\r\nApache InLong 1.2.0\u7248\u672c\u81f31.6.0\u7248\u672c\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6743\u9650\u7ba1\u7406\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5220\u9664\u4efb\u610f\u8ba2\u9605\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache InLong\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache InLong \u003e=1.2.0\uff0c\u003c=1.6.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-31453",
  "serverity": "\u9ad8",
  "submitTime": "2023-05-28",
  "title": "Apache InLong\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

ghsa-8rjh-3mhm-966q

Vulnerability from github

Published

2023-07-06 21:14

Modified

2023-07-06 23:38

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Apache InLong Incorrect Permission Assignment for Critical Resource Vulnerability

Details

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others' subscriptions, even if they are not the owner of the deleted subscription. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7949 to solve it.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.inlong:manager-service"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.inlong:manager-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-31453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-06T23:38:09Z",
    "nvd_published_at": "2023-05-22T14:15:09Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u00a0attacker can delete others\u0027 subscriptions, even if they are not the owner\nof the deleted subscription.\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7949 to solve it.",
  "id": "GHSA-8rjh-3mhm-966q",
  "modified": "2023-07-06T23:38:09Z",
  "published": "2023-07-06T21:14:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-31453"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/inlong/pull/7949"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/inlong"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache InLong Incorrect Permission Assignment for Critical Resource Vulnerability"
}

gsd-2023-31453

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-31453

Aliases

CVE-2023-31453

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-31453",
    "id": "GSD-2023-31453"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-31453"
      ],
      "details": "Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u00a0attacker can delete others\u0027 subscriptions, even if they are not the owner\nof the deleted subscription.\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\n\n[1] \n\n https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949 \n\n\n\n\n\n\n\n",
      "id": "GSD-2023-31453",
      "modified": "2023-12-13T01:20:29.730756Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2023-31453",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache InLong",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "1.2.0",
                          "version_value": "1.6.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u00a0attacker can delete others\u0027 subscriptions, even if they are not the owner\nof the deleted subscription.\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\n\n[1] \n\n https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949 \n\n\n\n\n\n\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-732",
                "lang": "eng",
                "value": "CWE-732 Incorrect Permission Assignment for Critical Resource"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[1.2.0,1.7.0)",
          "affected_versions": "All versions starting from 1.2.0 before 1.7.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-732",
            "CWE-937"
          ],
          "date": "2023-07-06",
          "description": "Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u00a0attacker can delete others\u0027 subscriptions, even if they are not the owner\nof the deleted subscription.\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\n\n[1] \n\n https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949 \n\n\n\n\n\n\n\n",
          "fixed_versions": [
            "1.7.0"
          ],
          "identifier": "CVE-2023-31453",
          "identifiers": [
            "GHSA-8rjh-3mhm-966q",
            "CVE-2023-31453"
          ],
          "not_impacted": "All versions before 1.2.0, all versions starting from 1.7.0",
          "package_slug": "maven/org.apache.inlong/manager-service",
          "pubdate": "2023-07-06",
          "solution": "Upgrade to version 1.7.0 or above.",
          "title": "Incorrect Permission Assignment for Critical Resource",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-31453",
            "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06",
            "https://github.com/apache/inlong/pull/7949",
            "https://github.com/advisories/GHSA-8rjh-3mhm-966q"
          ],
          "uuid": "bf4abbc4-aced-4ff4-ace3-df7023133339"
        },
        {
          "affected_range": "[1.2.0,1.7.0)",
          "affected_versions": "All versions starting from 1.2.0 before 1.7.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-732",
            "CWE-937"
          ],
          "date": "2023-07-06",
          "description": "Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u00a0attacker can delete others\u0027 subscriptions, even if they are not the owner\nof the deleted subscription.\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\n\n[1] \n\n https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949 \n\n\n\n\n\n\n\n",
          "fixed_versions": [
            "1.7.0"
          ],
          "identifier": "CVE-2023-31453",
          "identifiers": [
            "GHSA-8rjh-3mhm-966q",
            "CVE-2023-31453"
          ],
          "not_impacted": "All versions before 1.2.0, all versions starting from 1.7.0",
          "package_slug": "maven/org.apache.inlong/manager-web",
          "pubdate": "2023-07-06",
          "solution": "Upgrade to version 1.7.0 or above.",
          "title": "Incorrect Permission Assignment for Critical Resource",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-31453",
            "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06",
            "https://github.com/apache/inlong/pull/7949",
            "https://github.com/advisories/GHSA-8rjh-3mhm-966q"
          ],
          "uuid": "23802678-a09e-433b-ba12-c0ecea1c889e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.6.0",
                "versionStartIncluding": "1.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2023-31453"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u00a0attacker can delete others\u0027 subscriptions, even if they are not the owner\nof the deleted subscription.\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\n\n[1] \n\n https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949 \n\n\n\n\n\n\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-732"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-05-27T01:20Z",
      "publishedDate": "2023-05-22T14:15Z"
    }
  }
}

fkie_cve-2023-31453

Vulnerability from fkie_nvd

Published

2023-05-22 14:15

Modified

2024-11-21 08:01

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

References

▼	URL	Tags
	security@apache.org	https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06	Mailing List, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	inlong	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5885ADE-6494-4EB2-BCCA-27499935E80C",
              "versionEndIncluding": "1.6.0",
              "versionStartIncluding": "1.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The\u00a0attacker can delete others\u0027 subscriptions, even if they are not the owner\nof the deleted subscription.\u00a0Users are advised to upgrade to Apache InLong\u0027s 1.7.0 or cherry-pick [1] to solve it.\n\n[1] \n\n https://github.com/apache/inlong/pull/7949 https://github.com/apache/inlong/pull/7949 \n\n\n\n\n\n\n\n"
    }
  ],
  "id": "CVE-2023-31453",
  "lastModified": "2024-11-21T08:01:53.757",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-05-22T14:15:09.643",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "security@apache.org",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-31453 (GCVE-0-2023-31453)

Vulnerability from cvelistv5

cnvd-2023-42967

Vulnerability from cnvd

ghsa-8rjh-3mhm-966q

Vulnerability from github

gsd-2023-31453

Vulnerability from gsd

fkie_cve-2023-31453

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature