CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
82.3%
org.apache.submarine:submarine-commons-utils is vulnerable to Improper Authentication. The vulnerability is caused by a hard-coded JSON Web Token (JWT) key (SUBMARINE_SECRET_12345678901234567890) within SubmarineConfVars.java
, which allows attackers to generate unauthorized JWT tokens, bypass authentication, and potentially gain access to sensitive data and functionality.
www.openwall.com/lists/oss-security/2024/06/12/2
github.com/advisories/GHSA-jwcg-wv5x-vg3g
github.com/apache/submarine/commit/7a1d551798c6785fc68fe028fc46f74c3ee6976d
github.com/apache/submarine/pull/1125
issues.apache.org/jira/browse/SUBMARINE-1417
lists.apache.org/thread/7mo0c7vbhpo8thvybl8wwvb0bccrg7r4