VYPR
← All advisories
High severityNVD Advisory· Published May 22, 2023· Updated Oct 9, 2024

Apache InLong: IDOR make users can bind any cluster

CVE-2023-31454

Description

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0.

The attacker can bind any cluster, even if he is not the cluster owner. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it.[1]

https://github.com/apache/inlong/pull/7947 https://github.com/apache/inlong/pull/7947

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache InLong versions 1.2.0-1.6.0 have a permission flaw allowing attackers to bind any cluster even if not owner, fixed in 1.7.0.

Description

CVE-2023-31454 is an incorrect permission assignment vulnerability in Apache InLong that affects versions 1.2.0 through 1.6.0 [2]. The root cause is a missing authentication check when binding a cluster tag, allowing unauthorized users to bind any cluster [1].

Exploitation

An attacker with network access to the InLong service can exploit this vulnerability without needing to be the cluster owner. The attacker can bind any cluster, bypassing intended access controls [2].

Impact

Successful exploitation enables an attacker to bind arbitrary clusters, potentially leading to unauthorized data access or control over cluster resources [2].

Mitigation

Apache has addressed this issue in version 1.7.0. Users are advised to upgrade or cherry-pick the fix from pull request #7947 [1][2].

References
  1. [INLONG-7946][Manager] Add user authentication when bind clusterTag by fuweng11 · Pull Request #7947 · apache/inlong
  2. NVD - CVE-2023-31454

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.inlong:manager-serviceMaven
>= 1.2.0, < 1.7.01.7.0

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.