Miggo Logo
Miggo Vulnerability Database
CVE-2023-48396

CVE-2023-48396: Apache SeaTunnel Web Authentication vulnerability

8.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-48396
GHSA ID
GHSA-cp2c-x2pc-fph7
EPSS Score
0.37421%
CWE
CWE-290
Published
7/30/2024
Updated
8/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.seatunnel:seatunnel-webmaven< 1.0.11.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the hardcoded JWT secretKey in application.yml. While specific function names are not explicitly provided in the commit or descriptions, the presence of a static secret in the configuration directly impacts all JWT-related functions that rely on this key. The commit fixes this by removing the hardcoded value, confirming that the key's presence in the configuration enabled the exploit. Standard JWT implementations use the secretKey for token signing/validation, so any functions handling these operations would inherit the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** *ut**nti**tion vuln*r**ility in *p**** S**Tunn*l. Sin** t** jwt k*y is **r**o*** in t** *ppli**tion, *n *tt**k*r **n *or** *ny tok*n to lo* in *ny us*r. *tt**k*r **n **t s**r*t k*y in /s**tunn*l-s*rv*r/s**tunn*l-*pp/sr*/m*in/r*sour**s/*ppli**tio

Reasoning

T** vuln*r**ility st*ms *rom t** **r**o*** JWT s**r*tK*y in `*ppli**tion.yml`. W*il* sp**i*i* *un*tion n*m*s *r* not *xpli*itly provi*** in t** *ommit or **s*riptions, t** pr*s*n** o* * st*ti* s**r*t in t** *on*i*ur*tion *ir**tly imp**ts *ll JWT-r*l*