CVE-2023-31454 — Apache InLong vulnerable to Incorrect Permission Assignment for Critical Resourc

Description

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong from 1.2.0 through 1.6.0. The attacker can bind any cluster, even if he is not the cluster owner. Users are advised to upgrade to Apache InLong 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7947 to solve it.

How to fix CVE-2023-31454

To remediate CVE-2023-31454, upgrade the affected package to a fixed version below.

—upgrade to 1.7.0 or later

Is CVE-2023-31454 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.2.0, < 1.7.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-31454
PATCHgithub.com/apache/inlong
WEBgithub.com/apache/inlong/pull/7947
WEBlists.apache.org/thread/nqt1tr6pbq8q4b033d7sg5gltx5pmjgl