Multiple vulnerabilities in Apache InLong
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2023-31062 CVE-2023-31103 CVE-2023-31065 CVE-2023-31058 CVE-2023-31454 CVE-2023-31453 CVE-2023-31206 CVE-2023-31101 CVE-2023-31098 CVE-2023-31066 CVE-2023-31064 |
| CWE-ID | CWE-287 CWE-668 CWE-613 CWE-502 CWE-284 CWE-264 CWE-521 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Apache InLong Server applications / Other server solutions |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU78811
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31062
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass authentication process.
The vulnerability exists due to an error in processing of authentication requests. A remote user with a valid cookie can bypass authentication process and gain unauthorized access to the privileged application parts.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache InLong: 1.2.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.2.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.3.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.4.0:*:*:*:*:*:*:
http://lists.apache.org/thread/btorjbo9o71h22tcvxzy076022hjdzq0
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Exposure of Resource to Wrong Sphere
EUVDB-ID: #VU78813
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31103
CWE-ID:
CWE-668 - Exposure of resource to wrong sphere
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to missing access controls. A remote non-authenticated attacker can change the immutable name and type of cluster of InLong.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache InLong: 1.4.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.4.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.5.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.6.0:*:*:*:*:*:*:
http://lists.apache.org/thread/bv51zhjookcnfbz8b0xsl9wv78sn0j1p
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Insufficient Session Expiration
EUVDB-ID: #VU78812
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31065
CWE-ID:
CWE-613 - Insufficient Session Expiration
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient session expiration issue. A remote non-authenticated attacker can obtain or guess session token and gain unauthorized access to session that belongs to another user. This includes sessions for accounts that have been deleted or the password has been changed.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache InLong: 1.4.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.4.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.5.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.6.0:*:*:*:*:*:*:
http://lists.apache.org/thread/to7o0n2cks0omtwo6mhh5cs2vfdbplqf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Deserialization of Untrusted Data
EUVDB-ID: #VU78820
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31058
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache InLong: 1.4.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.4.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.5.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.6.0:*:*:*:*:*:*:
http://lists.apache.org/thread/bkcgbn9l61croxfyspf7xd42qb189s3z
http://github.com/apache/inlong/pull/7674
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper access control
EUVDB-ID: #VU78821
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31454
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and bind any cluster.
Install updates from vendor's website.
Vulnerable software versionsApache InLong: 1.2.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.2.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.3.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.4.0:*:*:*:*:*:*:
http://lists.apache.org/thread/nqt1tr6pbq8q4b033d7sg5gltx5pmjgl
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU78822
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31453
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and delete other users' subscriptions.
Install updates from vendor's website.
Vulnerable software versionsApache InLong: 1.2.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.2.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.3.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.4.0:*:*:*:*:*:*:
http://lists.apache.org/thread/9nz8o2skgc5230w276h4w92j0zstnl06
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper access control
EUVDB-ID: #VU78823
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31206
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and change the immutable name and type of nodes.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache InLong: 1.4.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.4.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.5.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.6.0:*:*:*:*:*:*:
http://lists.apache.org/thread/qb7zffo785wzpmsobjqcypodngw6kg6x
http://github.com/apache/inlong/pull/7891
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU78825
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31101
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The
vulnerability exists due to an error in the way new user registrations
are handled. A remote newly registered user can see data of previously
deleted users.
Install updates from vendor's website.
Vulnerable software versionsApache InLong: 1.5.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.5.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.6.0:*:*:*:*:*:*:
http://lists.apache.org/thread/shvwwr6toqz5rr39rwh4k03z08sh9jmr
http://github.com/apache/inlong/pull/7836
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Weak password requirements
EUVDB-ID: #VU78826
Risk: Medium
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31098
CWE-ID:
CWE-521 - Weak Password Requirements
Exploit availability: No
DescriptionThe vulnerability allows an attacker to perform brute-force attack and guess the password.
The vulnerability exists due to weak password requirements, as Apache InLong users can change their current passwords to a simple password strings. An attacker can perform a brute-force attack and guess users' passwords, which can result in application compromise.
Install updates from vendor's website.
Vulnerable software versionsApache InLong: 1.1.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.1.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.2.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.3.0:*:*:*:*:*:*:
http://lists.apache.org/thread/1fvloc3no1gbffzrcsx9ltsg08wr2d1w
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Improper access control
EUVDB-ID: #VU78827
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31066
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and delete, edit, stop, and start others' sources.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache InLong: 1.4.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.4.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.5.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.6.0:*:*:*:*:*:*:
http://lists.apache.org/thread/x7y05wo37sq5l9fnmmsjh2dr9kcjrcxf
http://github.com/apache/inlong/pull/7775
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Improper access control
EUVDB-ID: #VU78832
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31064
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and cancel applications of another users
Install updates from vendor's website.
Vulnerable software versionsApache InLong: 1.2.0 - 1.6.0
CPE2.3- cpe:2.3:a:apache_foundation:apache_inlong:1.2.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.3.0:*:*:*:*:*:*:
- cpe:2.3:a:apache_foundation:apache_inlong:1.4.0:*:*:*:*:*:*:
http://lists.apache.org/thread/1osd2k3t3qol2wdsswqtr9gxdkf78n00
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
