CVE-2023-48396

2024-07-3009:15:02

CWE-290

apache

web.nvd.nist.gov

apache seatunnel

web authentication

hardcoded jwt key

security vulnerability

application upgrade

cve-2023-48396

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

Percentile

9.4%

JSON

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge
any token to log in any user.

Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token.
This issue affects Apache SeaTunnel: 1.0.0.

Users are recommended to upgrade to version 1.0.1, which fixes the issue.

Affected configurations

Vulners

Vulnrichment

Node

apache_software_foundationapache_strutsRange≤1.0.0

VendorProductVersionCPE
apache_software_foundationapache_struts*cpe:2.3:a:apache_software_foundation:apache_struts:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache_software_foundation	apache_struts	*	cpe:2.3:a:apache_software_foundation:apache_struts::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache SeaTunnel Web",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "1.0.0"
      }
    ]
  }
]