IDOR make users can withdraw other's application in apache/inlong

Valid

Reported on

Apr 2nd 2023

Proof of Concept

1 user1 submit a application with id = 8, user2 submit a application with id = 9

2 user1 withdraw the application , using burpsuite get the post, which can be like :POST /inlong/manager/api/workflow/cancel/8 HTTP/1.1

3 change 8 as 9 and we can find that user2's application is cancled.

Impact

Anyone can withdraw others' application .

We are processing your report and will contact the apache/inlong team within 24 hours. 2 months ago

lujiefsi modified the report

2 months ago

We have contacted a member of the apache/inlong team and are waiting to hear back 2 months ago

A apache/inlong maintainer has acknowledged this report 2 months ago

ASF Security Team validated this vulnerability 2 months ago

We accept this report as a security issue.

We believe it was fixed in https://github.com/apache/inlong/pull/7799 - would you have any chance to verify that you agree this fix is sufficient?

We plan to allocate a CVE to track this issue, and would be happy to credit you. How would you like to be credited?

Note that this CVE will be allocated through the Apache CNA, so it will not be necessary to allocate a CVE from huntr.dev.

We plan to publish this CVE after releasing an inlong version where this issue is fixed. We'd appreciate it if you keep this issue private until then.

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

lujiefsi

commented 2 months ago

Researcher

"would you have any chance to verify that you agree this fix is sufficient" LGTM

How would you like to be credited? With my email: lujie@ict.ac.cn

ASF Security Team ASF

commented 3 days ago

This issue has been disclosed as CVE-2023-31064

ASF Security Team marked this as fixed in 1.7.0 with commit e05199 3 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

ASF Security Team published this vulnerability 3 days ago

lujiefsi

commented 3 days ago

Researcher

@admin of hunter, could you please assin CVE-2023-31064 to the report? I also hope that other Apache InLong reports that I have submitted will have the same process. Thank you very much.

to join this conversation

We are processing your report and will contact the apache/inlong team within 24 hours. 2 months ago

lujiefsi modified the report

2 months ago

We have contacted a member of the apache/inlong team and are waiting to hear back 2 months ago

A apache/inlong maintainer has acknowledged this report 2 months ago

ASF Security Team validated this vulnerability 2 months ago

We accept this report as a security issue.

We believe it was fixed in https://github.com/apache/inlong/pull/7799 - would you have any chance to verify that you agree this fix is sufficient?

We plan to allocate a CVE to track this issue, and would be happy to credit you. How would you like to be credited?

Note that this CVE will be allocated through the Apache CNA, so it will not be necessary to allocate a CVE from huntr.dev.

We plan to publish this CVE after releasing an inlong version where this issue is fixed. We'd appreciate it if you keep this issue private until then.

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

lujiefsi

commented 2 months ago

Researcher

"would you have any chance to verify that you agree this fix is sufficient" LGTM

How would you like to be credited? With my email: lujie@ict.ac.cn

ASF Security Team ASF

commented 3 days ago

This issue has been disclosed as CVE-2023-31064

ASF Security Team marked this as fixed in 1.7.0 with commit e05199 3 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

ASF Security Team published this vulnerability 3 days ago

lujiefsi

commented 3 days ago

Researcher

@admin of hunter, could you please assin CVE-2023-31064 to the report? I also hope that other Apache InLong reports that I have submitted will have the same process. Thank you very much.

to join this conversation