Users who joined later can see the data of deleted users in apache/inlong
Apr 3rd 2023
Proof of Concept
1 admin create a user, named as user1
2 user1 login and create Inlong Group
3 admin delete user1
4 admin create aonther user, whose name is also user1
5 user1 login and can see the Inlong Group created by old user1
Thank you for your report, we confirm we consider this a security issue. We have a tentative fix at https://github.com/apache/inlong/pull/7836 - would you be interested in confirming it indeed fixes the issue?
Following the process at https://www.apache.org/security/committers.html , we are planning to create a release with the fix and then issue a CVE for this issue. We'd be happy to credit you in the CVE - how would you like to be credited?
would you be interested in confirming it indeed fixes the issue?
how would you like to be credited
credited me as lujie.ac.cn
CVE-2023-31101 was disclosed for this issue