CVE-2023-31065

Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. An old session can be used by an attacker even after the user has been deleted or the password has been changed. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 , https://github.com/apache/inlong/pull/7884 https://github.com/apache/inlong/pull/7884 to solve it.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/to7o0n2cks0omtwo6mhh5cs2vfdbplqf	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

History

27 May 2023, 03:21

Type	Values Removed	Values Added
First Time		Apache inlong Apache
CPE		cpe:2.3:a:apache:inlong::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
References	~~(MISC) https://lists.apache.org/thread/to7o0n2cks0omtwo6mhh5cs2vfdbplqf -~~	(MISC) https://lists.apache.org/thread/to7o0n2cks0omtwo6mhh5cs2vfdbplqf - Mailing List, Vendor Advisory

Information

Published : 2023-05-22 16:15

Updated : 2024-10-09 18:35

NVD link : CVE-2023-31065

Mitre link : CVE-2023-31065

CVE.ORG link : CVE-2023-31065

JSON object : View

Products Affected

apache

inlong

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2023-31065", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2023-05-22T16:15:10.027", "references": [{"url": "https://lists.apache.org/thread/to7o0n2cks0omtwo6mhh5cs2vfdbplqf", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.\u00a0\n\n\nAn old session can be used by an attacker even after the user has been deleted or the password has been changed.\n\n\nUsers are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 , https://github.com/apache/inlong/pull/7884 https://github.com/apache/inlong/pull/7884 to solve it.\n\n\n\n\n"}], "lastModified": "2024-10-09T18:35:03.500", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A7AAC7B-2146-46D9-8FD9-DA2B5903BB6E", "versionEndIncluding": "1.6.0", "versionStartIncluding": "1.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}