Insufficient Session Expiration in apache/inlong


Reported on

Apr 2nd 2023


User session are still vaild when users is deleted or password is changed

Proof of Concept

1 user1 login in browser1

2 admin delete user1 in browser2

3 user1 can still do anyting


An old session can be used by an attacker even after the users was deleted or password has been changed. Deleting user or a password change is a way to react to an account breach and should guarantee that the attacker no longer has access. However, in this case the session is still active and the attacker can perform all actions tied to that session until it expires.

We are processing your report and will contact the apache/inlong team within 24 hours. 2 months ago
lujiefsi modified the report
2 months ago
We have contacted a member of the apache/inlong team and are waiting to hear back 2 months ago
apache/inlong maintainer has acknowledged this report 2 months ago
ASF Security Team validated this vulnerability a month ago

Thank you for your report, we confirm we consider this a security issue. We have a tentative fix at - would you be interested in confirming it indeed fixes the issue?

Following the process at , we are planning to create a release with the fix and then issue a CVE for this issue. We'd be happy to credit you in the CVE - how would you like to be credited?

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a month ago


“would you be interested in confirming it indeed fixes the issue?” Only one question: why not we invalid the session directly?

"how would you like to be credited"

credited me as

a month ago


As we use shiro to manage the session, so we can use sessionmanager.getsessionDao.delete(session) to delete the session. We can use sessionManager.getSessionDAO().getActiveSessions() to get the user's session.

a month ago


Thank you for that suggestion, we have added .

a month ago



ASF Security Team marked this as fixed in 1.7.0 with commit f75f06 3 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ASF Security Team published this vulnerability 3 days ago
3 days ago


This issue was disclosed as CVE-2023-31065

to join this conversation