Weak Password Implimentation in apache/inlong


Reported on

Apr 2nd 2023


We can change the password with just 1 character when we use change password function.

Proof of Concept

When you change password, just press any character and then submit. You will see "Your password has been changed".


When users change password to a simple password (with any character or symbol), attacker can easily guess user password and access account.

We are processing your report and will contact the apache/inlong team within 24 hours. 2 months ago
We have contacted a member of the apache/inlong team and are waiting to hear back 2 months ago
apache/inlong maintainer has acknowledged this report 2 months ago
ASF Security Team validated this vulnerability 3 days ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ASF Security Team marked this as fixed in 1.7.0 with commit 27eba1 3 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ASF Security Team published this vulnerability 3 days ago
3 days ago

This has been disclosed as CVE-2023-31098

to join this conversation