IDOR make users can bind any cluster in apache/inlong

Valid

Reported on

Apr 17th 2023

Proof of Concept

1 admin create cluster1, cluster2, clusterTag1 and clusterTag2

2 admin add user1 as owner of cluster1,clusterTag1

3 user1 bind clusterTag1 to cluster1

4 user1 use burpsuite hiajck the request

5 the request content can be

{"clusterTag":"biaoqia4","bindClusters":[1]}

6 change the request content:

{"clusterTag":"biaoqia4","bindClusters":[1,2]}

  2 is the id of cluster2. user1 is not the owner of cluster2.

7 result:

{"success":true,"errMsg":null,"data":true}

Impact

attack can bind any cluster, even the he is not the owner of the cluster.

We are processing your report and will contact the apache/inlong team within 24 hours. 8 months ago
lujiefsi modified the report
8 months ago
lujiefsi modified the report
8 months ago
We have contacted a member of the apache/inlong team and are waiting to hear back 8 months ago
ASF
7 months ago

Maintainer

The team accepts this report as a security vulnerability, and is planning to issue a CVE for it. There is a tentative fix at https://github.com/apache/inlong/pull/7949 , if you have a chance we would much appreciate your review. We'd appreciate it if you'd keep this issue private until we have released a version with the fix and disclosed the CVE

ASF Security Team validated this vulnerability 6 months ago

This issue was disclosed as CVE-2023-31454: https://www.cve.org/CVERecord?id=CVE-2023-31454

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ASF Security Team marked this as fixed in 1.7.0 with commit 216b9b 6 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ASF Security Team published this vulnerability 6 months ago
lujiefsi
6 months ago

Researcher

@admin could you please assign CVE-2023-31454 for this issue?

to join this conversation