oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-48396: Apache SeaTunnel Web: Authentication bypass

From: Jun Gao <gaojun2048 () apache org>
Date: Tue, 30 Jul 2024 07:48:43 +0000
Severity: moderate

Affected versions:

- Apache SeaTunnel Web 1.0.0

Description:

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker 
can forge
any token to log in any user.

Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a 
token.
This issue affects Apache SeaTunnel: 1.0.0.

Users are recommended to upgrade to version 1.0.1, which fixes the issue.

Credit:

jiahua huang / Joyh (reporter)

References:

https://seatunnel.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-48396
Previous By Date Next
Previous By Thread Next

Current thread: