attack can change the immutable name and type of nodes in apache/inlong
Reported on
Apr 17th 2023
1 admin create a node
2 add user1 as one owner
3 login as user1
4 user1 edit the the node
5 user1 finds that the name and type can not be changed.
6 user1 still edit the node and using the burpsuit to hijack the request
7 the request content can be like
{"name":"te1","type":"CLICKHOUSE","inCharges":"user1,admin","description":"123","username":"admin","token":null,"url":"127.0.0.1:8080","id":1,"version":5}
8 change the name as te2(we can also change type)
9 result shows that the the name was successfully changed as te2
Impact
attack can change the immutable name and type of nodes
The project has confirmed the issue and is planning to fix it with https://github.com/apache/inlong/pull/7891 - could you have a look if that looks like a sufficient solution to you?
So it was not a seucrity issuse? And thus can we mark it as informative?
Sorry for being unclear - the project confirms the report as a security issue, and plans to publish a CVE for it (crediting you) after the fix has been released.
We plan to mark this report as Valid. The reason I didn't do so just yet is because huntr also asks us to review the severity and problem type before marking the report valid, and the team hasn't confirmed those aspects yet.
We would appreciate it if you could keep the issue private until after the disclosure.
We have disclosed this issue as CVE-2023-31206: https://www.cve.org/CVERecord?id=CVE-2023-31206