IDOR make users can delete others' subscription in apache/inlong

Valid

Reported on

Apr 17th 2023

Proof of Concept

1 user1 create subscription1

2 user2 create subscription2

3 user2 delete subscription2

4 user2 use burpsuite hiajck the request

5 the request URL can be DELETE /inlong/manager/api/consume/delete/2

6 change the request :DELETE /inlong/manager/api/consume/delete/1

 1 is the id of subscription1. user2 is not the owner of subscription2.

7 result:

{"success":true,"errMsg":null,"data":true}

Impact

attacker can delete others' subscription, even they are not the owner of the deleted subscription

We are processing your report and will contact the apache/inlong team within 24 hours. a month ago

lujiefsi modified the report

a month ago

We have contacted a member of the apache/inlong team and are waiting to hear back a month ago

A apache/inlong maintainer has acknowledged this report a month ago

lujiefsi

commented a month ago

Researcher

So it was not a seucrity issuse? And thus can we mark it as informative?

lujiefsi modified the report

a month ago

lujiefsi

commented a month ago

Researcher

make the Proof of Concept be more clear!

ASF Security Team ASF

commented a month ago

Maintainer

The team does accept this report as a security vulnerability, and is planning to issue a CVE for it. There is a tentative fix at https://github.com/apache/inlong/pull/7949 , if you have a chance we would much appreciate your review. We'd appreciate it if you'd keep this issue private until we have released a version with the fix and disclosed the CVE.

ASF Security Team validated this vulnerability 3 days ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

ASF Security Team marked this as fixed in 1.7.0 with commit 7214e0 3 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

ASF Security Team published this vulnerability 3 days ago

ASF Security Team ASF

commented 3 days ago

Maintainer

This issue was disclosed as https://www.cve.org/CVERecord?id=CVE-2023-31453

to join this conversation

We are processing your report and will contact the apache/inlong team within 24 hours. a month ago

lujiefsi modified the report

a month ago

We have contacted a member of the apache/inlong team and are waiting to hear back a month ago

A apache/inlong maintainer has acknowledged this report a month ago

lujiefsi

commented a month ago

Researcher

So it was not a seucrity issuse? And thus can we mark it as informative?

lujiefsi modified the report

a month ago

lujiefsi

commented a month ago

Researcher

make the Proof of Concept be more clear!

ASF Security Team ASF

commented a month ago

Maintainer

ASF Security Team validated this vulnerability 3 days ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

ASF Security Team marked this as fixed in 1.7.0 with commit 7214e0 3 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

ASF Security Team published this vulnerability 3 days ago

ASF Security Team ASF

commented 3 days ago

Maintainer

This issue was disclosed as https://www.cve.org/CVERecord?id=CVE-2023-31453

to join this conversation