attackers can change the immutable name and type of cluster in apache/inlong

Valid

Reported on

Apr 17th 2023

Proof of Concept

1 admin creates a cluster

2 admin adds user1 as one owner

3 attack login as user1

4 user1 edit the the cluster

5 user1 finds that the name and type can not be changed.

6 user1 still edits the cluster and using the burpsuit to hijack the request

7 the request content can be like

{"name":"cluster1","type":"AGENT","clusterTags":"biaoqian3","inCharges":"admin,user1","description":"tst","id":3,"version":1}

8 change the name as cluster2(we can also change type)

9 result shows that the the name was successfully changed as te2

Impact

attack can change the immutable name and type of cluster

We are processing your report and will contact the apache/inlong team within 24 hours. a month ago
lujiefsi modified the report
a month ago
We have contacted a member of the apache/inlong team and are waiting to hear back a month ago
apache/inlong maintainer has acknowledged this report a month ago
ASF
a month ago

Maintainer

The project has confirmed the issue and is planning to fix it with https://github.com/apache/inlong/pull/7891 - could you have a look if that looks like a sufficient solution to you?

lujiefsi
a month ago

Researcher

LGTM

ASF
3 days ago

Maintainer

This issue has been disclosed as CVE-2023-31103: https://www.cve.org/CVERecord?id=CVE-2023-31103

ASF Security Team validated this vulnerability 3 days ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ASF Security Team marked this as fixed in 1.7.0 with commit 7cd711 3 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ASF Security Team published this vulnerability 3 days ago
to join this conversation