CVE-2023-31101

Apache InLong: Users who joined later can see the data of deleted users

EPSS 1.1%CWE-1188

In short

In Apache InLong versions 1.5.0 to 1.6.0, newly registered users can access data belonging to users who were previously deleted from the system. This happens because deleted user data is not properly removed, exposing sensitive information to unauthorized users.

Technical detail

CWE-1188 vulnerability in Apache InLong allows users who register after others have been deleted to access residual data from deleted accounts due to insecure default initialization of resources. The attack requires valid user credentials and access to the application; impact includes unauthorized information disclosure of deleted users' data. Remediation requires upgrade to version 1.7.0 or application of the referenced patches.

Summary generated and translated by AI from the official description.

Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.6.0. Users registered in InLong who joined later can see deleted users' data. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 to solve it.

Affected products

Apache Software Foundation · Apache InLong

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread/shvwwr6toqz5rr39rwh4k03z08sh9jmr