Lucene search
ApacheVULNRICHMENT:CVE-2023-48396HistoryJul 30, 2024 - 8:15 a.m.
CVE-2023-48396 Apache SeaTunnel Web: Authentication bypass
2024-07-3008:15:33
CWE-290
apache
github.com
5
apache seatunnel
authentication bypass
hardcoded jwt key
application.yml
upgrade to 1.0.1
AI Score
6.9
Confidence
High
EPSS
0
Percentile
9.4%
SSVC
Exploitation
none
Automatable
yes
Technical Impact
total
Web Authentication vulnerability in Apache SeaTunnel.Β Since the jwt key is hardcoded in the application, an attacker can forge
any token to log in any user.
Attacker can getΒ secret key inΒ /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token.
This issue affects Apache SeaTunnel: 1.0.0.
Users are recommended to upgrade to version 1.0.1, which fixes the issue.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:apache:seatunnel:1.0.0:*:*:*:*:*:*:*"
],
"vendor": "apache",
"product": "seatunnel",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
],
"defaultStatus": "unknown"
}
]Related
nvd
nvd
CVE-2023-48396
2024-07-30 09:15:02
osv
osv
Apache SeaTunnel Web Authentication vulnerability
2024-07-30 09:32:05
veracode
veracode
Authentication Bypass By Spoofing
2024-07-31 08:55:12
cvelist
cvelist
CVE-2023-48396 Apache SeaTunnel Web: Authentication bypass
2024-07-30 08:15:33
github
github
Apache SeaTunnel Web Authentication vulnerability
2024-07-30 09:32:05
cve
cve
CVE-2023-48396
2024-07-30 09:15:02
AI Score
6.9
Confidence
High
EPSS
0
Percentile
9.4%
SSVC
Exploitation
none
Automatable
yes
Technical Impact
total
Related for VULNRICHMENT:CVE-2023-48396