IDOR make users can withdraw other's application in apache/inlong
Apr 2nd 2023
Proof of Concept
1 user1 submit a application with id = 8, user2 submit a application with id = 9
2 user1 withdraw the application , using burpsuite get the post, which can be like :POST /inlong/manager/api/workflow/cancel/8 HTTP/1.1
3 change 8 as 9 and we can find that user2's application is cancled.
Anyone can withdraw others' application .
We accept this report as a security issue.
We believe it was fixed in https://github.com/apache/inlong/pull/7799 - would you have any chance to verify that you agree this fix is sufficient?
We plan to allocate a CVE to track this issue, and would be happy to credit you. How would you like to be credited?
Note that this CVE will be allocated through the Apache CNA, so it will not be necessary to allocate a CVE from huntr.dev.
We plan to publish this CVE after releasing an inlong version where this issue is fixed. We'd appreciate it if you keep this issue private until then.
"would you have any chance to verify that you agree this fix is sufficient" LGTM
How would you like to be credited? With my email: email@example.com
This issue has been disclosed as CVE-2023-31064
@admin of hunter, could you please assin CVE-2023-31064 to the report? I also hope that other Apache InLong reports that I have submitted will have the same process. Thank you very much.