Users who joined later can see the data of deleted users in apache/inlong

Valid

Reported on

Apr 3rd 2023

Proof of Concept

1 admin create a user, named as user1

2 user1 login and create Inlong Group

3 admin delete user1

4 admin create aonther user, whose name is also user1

5 user1 login and can see the Inlong Group created by old user1

Impact

information disaclose

We are processing your report and will contact the apache/inlong team within 24 hours. 2 months ago

We have contacted a member of the apache/inlong team and are waiting to hear back 2 months ago

ASF Security Team validated this vulnerability a month ago

Thank you for your report, we confirm we consider this a security issue. We have a tentative fix at https://github.com/apache/inlong/pull/7836 - would you be interested in confirming it indeed fixes the issue?

Following the process at https://www.apache.org/security/committers.html , we are planning to create a release with the fix and then issue a CVE for this issue. We'd be happy to credit you in the CVE - how would you like to be credited?

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

lujiefsi

commented a month ago

Researcher

would you be interested in confirming it indeed fixes the issue?

LGTM

how would you like to be credited

credited me as lujie.ac.cn

ASF Security Team marked this as fixed in 1.7.0 with commit 5ad870 3 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

ASF Security Team published this vulnerability 3 days ago

ASF Security Team ASF

commented 3 days ago

Maintainer

CVE-2023-31101 was disclosed for this issue

to join this conversation