Apache InLong: Privilege escalation vulnerability for InLong
Description
Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. When the attacker has access to a valid (but unprivileged) account, the exploit can be executed using Burp Suite by sending a login request and following it with a subsequent HTTP request using the returned cookie.
Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 to solve it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong versions 1.2.0 through 1.6.0 contain an improper privilege management vulnerability allowing unprivileged attackers to escalate privileges via crafted HTTP requests.
Overview
CVE-2023-31062 is an improper privilege management vulnerability in Apache InLong, a one-stop integration framework for massive data. Affecting versions 1.2.0 through 1.6.0, the flaw stems from insufficient authorization checks when processing certain API requests[1][2].
Exploitation
An attacker with access to a valid but unprivileged account can exploit this vulnerability by sending a legitimate login request and then using the returned session cookie to craft a subsequent HTTP request that executes privileged actions[2]. The exploit can be performed using tools like Burp Suite to manipulate the request flow. No additional authentication or network access beyond a valid low-privileged account is required[2].
Impact
Successful exploitation allows an attacker to perform operations that should require higher privileges, such as managing user permissions or accessing restricted functions. As described in the associated pull request, the fix addresses removing permissions when a user is deleted, indicating that the vulnerability could enable unauthorized privilege changes or data access[1][2].
Mitigation
The Apache InLong project has released version 1.7.0, which resolves this vulnerability. Users unable to upgrade immediately can apply the security patch from the referenced pull request (#7836) to correct the permission handling logic[1][2]. No workaround other than applying the patch or upgrading is currently documented.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-pojoMaven | >= 1.2.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-daoMaven | >= 1.2.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-serviceMaven | >= 1.2.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-webMaven | >= 1.2.0, < 1.7.0 | 1.7.0 |
Affected products
5- ghsa-coords4 versionspkg:maven/org.apache.inlong/manager-daopkg:maven/org.apache.inlong/manager-pojopkg:maven/org.apache.inlong/manager-servicepkg:maven/org.apache.inlong/manager-web
>= 1.2.0, < 1.7.0+ 3 more
- (no CPE)range: >= 1.2.0, < 1.7.0
- (no CPE)range: >= 1.2.0, < 1.7.0
- (no CPE)range: >= 1.2.0, < 1.7.0
- (no CPE)range: >= 1.2.0, < 1.7.0
- Apache Software Foundation/Apache InLongv5Range: 1.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-q5p5-xg93-2jqcghsaADVISORY
- lists.apache.org/thread/btorjbo9o71h22tcvxzy076022hjdzq0ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-31062ghsaADVISORY
- github.com/apache/inlong/pull/7836ghsaWEB
News mentions
0No linked articles in our index yet.