Apache InLong: Insufficient Session Expiration in InLong
Description
Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0.
An old session can be used by an attacker even after the user has been deleted or the password has been changed.
Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 https://github.com/apache/inlong/pull/7836 , https://github.com/apache/inlong/pull/7884 https://github.com/apache/inlong/pull/7884 to solve it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong 1.4.0-1.6.0 allows reuse of old sessions after user deletion or password change due to insufficient session expiration.
Vulnerability
Description
CVE-2023-31065 is an insufficient session expiration vulnerability in Apache InLong, affecting versions 1.4.0 through 1.6.0 [2]. The root cause is that the application does not properly invalidate sessions when a user is deleted or their password is changed, allowing an old session to remain valid [2].
Attack
Vector
An attacker who possesses an old session token (e.g., from a previously authenticated session) can reuse that token to access the system even after the associated user account has been removed or the password has been updated [2]. No additional authentication is required if the attacker already has a valid session token. The attack can be carried out remotely over the network.
Impact
Successful exploitation allows an attacker to maintain unauthorized access to the Apache InLong instance, potentially gaining the same privileges as the deleted or modified user. This could lead to data exposure, manipulation, or disruption of data integration pipelines managed by InLong.
Mitigation
The vulnerability is addressed in Apache InLong version 1.7.0 [2]. Users can also apply patches via cherry-picking commits from pull requests #7836 and #7884, which introduce session invalidation mechanisms upon user deletion [1][4]. Pull request #7884 proposes caching user information in memory and periodically synchronizing from the database to detect invalid users and remove their sessions [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-pojoMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-daoMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-webMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-serviceMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
Affected products
5- ghsa-coords4 versionspkg:maven/org.apache.inlong/manager-daopkg:maven/org.apache.inlong/manager-pojopkg:maven/org.apache.inlong/manager-servicepkg:maven/org.apache.inlong/manager-web
>= 1.4.0, < 1.7.0+ 3 more
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- Apache Software Foundation/Apache InLongv5Range: 1.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-757p-7hp5-pqmrghsaADVISORY
- lists.apache.org/thread/to7o0n2cks0omtwo6mhh5cs2vfdbplqfghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-31065ghsaADVISORY
- github.com/apache/inlong/pull/7836ghsaWEB
- github.com/apache/inlong/pull/7884ghsaWEB
News mentions
0No linked articles in our index yet.