IDOR make one user can stop, start , delete, edit others' source in apache/inlong

Valid

Reported on

Apr 2nd 2023

Proof of Concept

1 user1 create a source with id =1

2 user2 create a source with id =2

3 user1 delete the source with post DELETE /inlong/manager/api/source/delete/1?sourceType= HTTP/1.1

4 user1 repalce the 1 as 2, and find that he can sucess delete user2' source.

Impact

one can delete , edit, stop, start others' source!

We are processing your report and will contact the apache/inlong team within 24 hours. 2 months ago

We have contacted a member of the apache/inlong team and are waiting to hear back 2 months ago

A apache/inlong maintainer has acknowledged this report 2 months ago

ASF Security Team validated this vulnerability 2 months ago

We confirm this issue and believe we have fixed it with https://github.com/apache/inlong/pull/7775, could you check whether this solution is indeed sufficient?

We will allocate a CVE and publish it when an Apache Inlong version has been released that contains the fix. We'd be happy to credit you in the CVE - how would you like to be credited?

Note to huntr.dev: please do not allocate a CVE for this problem, we will allocate one from the Apache CNA.

We'd appreciate it if you'd keep this issue private until an Apache Inlong version has been released that contains the fix.

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

lujiefsi

commented 2 months ago

Researcher

I have checked patch and it seems good. The issuse will be private until your maintainer proactively publish it!

lujiefsi

commented 2 months ago

Researcher

"how would you like to be credited?"

please credite with my email : lujie@ict.ac.cn

ASF Security Team marked this as fixed in 1.7.0 with commit 231dbd 3 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

ASF Security Team published this vulnerability 3 days ago

ASF Security Team ASF

commented 3 days ago

Maintainer

This issue has been disclosed as CVE-2023-31066

to join this conversation

We are processing your report and will contact the apache/inlong team within 24 hours. 2 months ago

We have contacted a member of the apache/inlong team and are waiting to hear back 2 months ago

A apache/inlong maintainer has acknowledged this report 2 months ago

ASF Security Team validated this vulnerability 2 months ago

We confirm this issue and believe we have fixed it with https://github.com/apache/inlong/pull/7775, could you check whether this solution is indeed sufficient?

We will allocate a CVE and publish it when an Apache Inlong version has been released that contains the fix. We'd be happy to credit you in the CVE - how would you like to be credited?

Note to huntr.dev: please do not allocate a CVE for this problem, we will allocate one from the Apache CNA.

We'd appreciate it if you'd keep this issue private until an Apache Inlong version has been released that contains the fix.

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

lujiefsi

commented 2 months ago

Researcher

I have checked patch and it seems good. The issuse will be private until your maintainer proactively publish it!

lujiefsi

commented 2 months ago

Researcher

"how would you like to be credited?"

please credite with my email : lujie@ict.ac.cn

ASF Security Team marked this as fixed in 1.7.0 with commit 231dbd 3 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

ASF Security Team published this vulnerability 3 days ago

ASF Security Team ASF

commented 3 days ago

Maintainer

This issue has been disclosed as CVE-2023-31066

to join this conversation