IDOR make users can withdraw other's application in apache/inlong


Reported on

Apr 2nd 2023

Proof of Concept

1 user1 submit a application with id = 8, user2 submit a application with id = 9

2 user1 withdraw the application , using burpsuite get the post, which can be like :POST /inlong/manager/api/workflow/cancel/8 HTTP/1.1

3 change 8 as 9 and we can find that user2's application is cancled.


Anyone can withdraw others' application .

We are processing your report and will contact the apache/inlong team within 24 hours. 2 months ago
lujiefsi modified the report
2 months ago
We have contacted a member of the apache/inlong team and are waiting to hear back 2 months ago
apache/inlong maintainer has acknowledged this report 2 months ago
ASF Security Team validated this vulnerability 2 months ago

We accept this report as a security issue.

We believe it was fixed in - would you have any chance to verify that you agree this fix is sufficient?

We plan to allocate a CVE to track this issue, and would be happy to credit you. How would you like to be credited?

Note that this CVE will be allocated through the Apache CNA, so it will not be necessary to allocate a CVE from

We plan to publish this CVE after releasing an inlong version where this issue is fixed. We'd appreciate it if you keep this issue private until then.

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
2 months ago


"would you have any chance to verify that you agree this fix is sufficient" LGTM

How would you like to be credited? With my email:

3 days ago

This issue has been disclosed as CVE-2023-31064

ASF Security Team marked this as fixed in 1.7.0 with commit e05199 3 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ASF Security Team published this vulnerability 3 days ago
3 days ago


@admin of hunter, could you please assin CVE-2023-31064 to the report? I also hope that other Apache InLong reports that I have submitted will have the same process. Thank you very much.

to join this conversation