Apache InLong: Attackers can change the immutable name and type of cluster
Description
Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of cluster of InLong. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891 to solve it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong versions 1.4.0 through 1.6.0 allow attackers to modify immutable cluster names and types due to insufficient access control, leading to resource misconfiguration.
CVE-2023-31103 is an Exposure of Resource to Wrong Sphere vulnerability in Apache InLong, affecting versions 1.4.0 through 1.6.0 [1]. The root cause is that the system does not properly enforce immutability for cluster name and type fields, allowing them to be changed by unauthorized actors [1].
Attackers with network access to the InLong manager service can exploit this flaw by sending crafted requests to modify these immutable properties [1]. No special privileges are required beyond the ability to interact with the vulnerable API endpoints.
Successful exploitation enables an attacker to alter the cluster's immutable name and type, potentially causing data misrouting, resource confusion, or administrative disruption [1]. The impact is primarily on the integrity and reliability of data processing pipelines.
Apache has addressed the issue in version 1.7.0, or users can apply the fix via pull request #7891, which adds validation to prevent modification of these critical fields [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-pojoMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-daoMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-serviceMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-testMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-webMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
Affected products
6- ghsa-coords5 versionspkg:maven/org.apache.inlong/manager-daopkg:maven/org.apache.inlong/manager-pojopkg:maven/org.apache.inlong/manager-servicepkg:maven/org.apache.inlong/manager-testpkg:maven/org.apache.inlong/manager-web
>= 1.4.0, < 1.7.0+ 4 more
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- Apache Software Foundation/Apache InLongv5Range: 1.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-7mhc-76hf-3jp9ghsaADVISORY
- lists.apache.org/thread/bv51zhjookcnfbz8b0xsl9wv78sn0j1pghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-31103ghsaADVISORY
- github.com/apache/inlong/pull/7891ghsaWEB
News mentions
0No linked articles in our index yet.