Miggo Logo
Miggo Vulnerability Database
CVE-2023-31454

CVE-2023-31454: Apache InLong vulnerable to Incorrect Permission Assignment for Critical Resource

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-31454
GHSA ID
GHSA-rf76-whgp-fp56
EPSS Score
0.3504%
CWE
CWE-732
Published
7/6/2023
Updated
11/10/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.inlong:manager-servicemaven>= 1.2.0, < 1.7.01.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks when binding clusters. The fix in PR #7947 explicitly adds user authentication to the cluster tag binding process. Since the vulnerability title references 'bind any cluster' and the patch modifies ClusterTagController, we can infer the bindClusterTag method (or equivalent) lacked ownership validation in vulnerable versions. The file path follows standard Java package structure for Spring controllers in Apache InLong's manager-service component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In*orr**t P*rmission *ssi*nm*nt *or *riti**l R*sour** Vuln*r**ility in *p**** So*tw*r* *oun**tion *p**** InLon*. T*is issu* *****ts *p**** InLon* *rom *.*.* t*rou** *.*.*. T** *tt**k*r **n *in* *ny *lust*r, *v*n i* ** is not t** *lust*r own*r. Us*rs

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks w**n *in*in* *lust*rs. T** *ix in PR #**** *xpli*itly ***s us*r *ut**nti**tion to t** *lust*r t** *in*in* `pro**ss`. Sin** t** vuln*r**ility titl* r***r*n**s '*in* *ny *lust*r' *n* t** p*t** m