High severityNVD Advisory· Published Jul 30, 2024· Updated Feb 13, 2025
Apache SeaTunnel Web: Authentication bypass
CVE-2023-48396
Description
Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user.
Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0.
Users are recommended to upgrade to version 1.0.1, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.seatunnel:seatunnel-webMaven | < 1.0.1 | 1.0.1 |
Affected products
2- Apache Software Foundation/Apache SeaTunnel Webv5Range: 1.0.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-cp2c-x2pc-fph7ghsaADVISORY
- lists.apache.org/thread/1tdxfjksx0vb9gtyt77wlr6rdcy1qwmwghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-48396ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/07/30/1ghsaWEB
- github.com/apache/seatunnel-web/commit/4a37ebfa4b57e177bf7857cf39a6dbdc00f75f78ghsaWEB
News mentions
0No linked articles in our index yet.