Insufficient Session Expiration in apache/inlong
Apr 2nd 2023
User session are still vaild when users is deleted or password is changed
Proof of Concept
1 user1 login in browser1
2 admin delete user1 in browser2
3 user1 can still do anyting
An old session can be used by an attacker even after the users was deleted or password has been changed. Deleting user or a password change is a way to react to an account breach and should guarantee that the attacker no longer has access. However, in this case the session is still active and the attacker can perform all actions tied to that session until it expires.
Thank you for your report, we confirm we consider this a security issue. We have a tentative fix at https://github.com/apache/inlong/pull/7836 - would you be interested in confirming it indeed fixes the issue?
Following the process at https://www.apache.org/security/committers.html , we are planning to create a release with the fix and then issue a CVE for this issue. We'd be happy to credit you in the CVE - how would you like to be credited?
“would you be interested in confirming it indeed fixes the issue?” Only one question: why not we invalid the session directly?
"how would you like to be credited"
credited me as lujie.ac.cn
As we use shiro to manage the session, so we can use sessionmanager.getsessionDao.delete(session) to delete the session. We can use sessionManager.getSessionDAO().getActiveSessions() to get the user's session.
Thank you for that suggestion, we have added https://github.com/apache/inlong/pull/7884 .
This issue was disclosed as CVE-2023-31065