IDOR make users can bind any cluster in apache/inlong


Reported on

Apr 17th 2023

Proof of Concept

1 admin create cluster1, cluster2, clusterTag1 and clusterTag2

2 admin add user1 as owner of cluster1,clusterTag1

3 user1 bind clusterTag1 to cluster1

4 user1 use burpsuite hiajck the request

5 the request content can be


6 change the request content:


  2 is the id of cluster2. user1 is not the owner of cluster2.

7 result:



attack can bind any cluster, even the he is not the owner of the cluster.

We are processing your report and will contact the apache/inlong team within 24 hours. 8 months ago
lujiefsi modified the report
8 months ago
lujiefsi modified the report
8 months ago
We have contacted a member of the apache/inlong team and are waiting to hear back 8 months ago
7 months ago


The team accepts this report as a security vulnerability, and is planning to issue a CVE for it. There is a tentative fix at , if you have a chance we would much appreciate your review. We'd appreciate it if you'd keep this issue private until we have released a version with the fix and disclosed the CVE

ASF Security Team validated this vulnerability 6 months ago

This issue was disclosed as CVE-2023-31454:

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ASF Security Team marked this as fixed in 1.7.0 with commit 216b9b 6 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ASF Security Team published this vulnerability 6 months ago
6 months ago


@admin could you please assign CVE-2023-31454 for this issue?

to join this conversation