Apache InLong Incorrect Permission Assignment for Critical Resource Vulnerability

2023-07-0621:14:59

CWE-732

GitHub Advisory Database

github.com

apache inlong

permission assignment

critical resource

vulnerability

software foundation

upgrade

github

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

61.1%

JSON

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others’ subscriptions, even if they are not the owner
of the deleted subscription. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7949 to solve it.

Affected configurations

Vulners

Node

org.apache.inlongmanager-webRange1.2.0–1.7.0

org.apache.inlongmanager-serviceRange1.2.0–1.7.0

VendorProductVersionCPE
org.apache.inlongmanager-web*cpe:2.3:a:org.apache.inlong:manager-web:*:*:*:*:*:*:*:*
org.apache.inlongmanager-service*cpe:2.3:a:org.apache.inlong:manager-service:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.inlong	manager-web	*	cpe:2.3:a:org.apache.inlong:manager-web::::::::
org.apache.inlong	manager-service	*	cpe:2.3:a:org.apache.inlong:manager-service::::::::