Weak Password Implimentation in apache/inlong

Valid

Reported on

Apr 2nd 2023

Description:

We can change the password with just 1 character when we use change password function.

When you change password, just press any character and then submit. You will see "Your password has been changed".

When users change password to a simple password (with any character or symbol), attacker can easily guess user password and access account.

We are processing your report and will contact the apache/inlong team within 24 hours. 2 months ago

We have contacted a member of the apache/inlong team and are waiting to hear back 2 months ago

A apache/inlong maintainer has acknowledged this report 2 months ago

ASF Security Team validated this vulnerability 3 days ago

lujiefsi has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

ASF Security Team marked this as fixed in 1.7.0 with commit 27eba1 3 days ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

ASF Security Team published this vulnerability 3 days ago

commented 3 days ago

This has been disclosed as CVE-2023-31098

to join this conversation