Lucene search

GoogleOSV:GHSA-CP2C-X2PC-FPH7

HistoryJul 30, 2024 - 9:32 a.m.

Apache SeaTunnel Web Authentication vulnerability

2024-07-3009:32:05

Google

osv.dev

apache seatunnel

web authentication

hardcoded jwt key

attacker

token

security vulnerability

upgrade

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.4%

JSON

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user.

Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0.

Users are recommended to upgrade to version 1.0.1, which fixes the issue.

References

www.openwall.com/lists/oss-security/2024/07/30/1

github.com/apache/seatunnel

github.com/apache/seatunnel-web/commit/4a37ebfa4b57e177bf7857cf39a6dbdc00f75f78

lists.apache.org/thread/1tdxfjksx0vb9gtyt77wlr6rdcy1qwmw

nvd.nist.gov/vuln/detail/CVE-2023-48396

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.8

Confidence

High

EPSS

Percentile

9.4%

JSON

Related for OSV:GHSA-CP2C-X2PC-FPH7