Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Apache SeaTunnel Web by Apache Software Foundation

    CVE-2023-49198 (GCVE-0-2023-49198)

    Vulnerability from nvd – Published: 2024-08-21 09:37 – Updated: 2024-08-23 13:04
    VLAI
    Title
    Apache SeaTunnel Web: Arbitrary file read vulnerability
    Summary
    Mysql security vulnerability in Apache SeaTunnel. Attackers can read files on the MySQL server by modifying the information in the MySQL URL allowLoadLocalInfile=true&allowUrlInLocalInfile=true&allowLoadLocalInfileInPath=/&maxAllowedPacket=655360 This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version [1.0.1], which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-552 - Files or Directories Accessible to External Parties
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache SeaTunnel Web Affected: 1.0.0 (maven)
    Create a notification for this product.
    apache_software_foundation apache_seatunnel_web Affected: 1.0.0
        cpe:2.3:a:apache_software_foundation:apache_seatunnel_web:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    jiahua huang
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache_software_foundation:apache_seatunnel_web:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "apache_seatunnel_web",
                "vendor": "apache_software_foundation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-49198",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-21T13:09:43.236377Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-21T13:13:52.118Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-21T14:03:03.767Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2024/08/21/2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.maven.apache.org/maven2",
              "defaultStatus": "unaffected",
              "product": "Apache SeaTunnel Web",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "jiahua huang"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Mysql security vulnerability in Apache SeaTunnel.\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAttackers can read files on the MySQL server by modifying the information in the MySQL URL\u003cbr\u003e\u003cbr\u003e allowLoadLocalInfile=true\u0026amp;allowUrlInLocalInfile=true\u0026amp;allowLoadLocalInfileInPath=/\u0026amp;maxAllowedPacket=655360\u003c/span\u003e\u003c/tt\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache SeaTunnel: 1.0.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version [1.0.1], which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Mysql security vulnerability in Apache SeaTunnel.\n\nAttackers can read files on the MySQL server by modifying the information in the MySQL URL\n\n allowLoadLocalInfile=true\u0026allowUrlInLocalInfile=true\u0026allowLoadLocalInfileInPath=/\u0026maxAllowedPacket=655360\nThis issue affects Apache SeaTunnel: 1.0.0.\n\nUsers are recommended to upgrade to version [1.0.1], which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-552",
                  "description": "CWE-552 Files or Directories Accessible to External Parties",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-23T13:04:21.616Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/48j9f1nsn037mgzc4j9o51nwglb1s08h"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache SeaTunnel Web: Arbitrary file read vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-49198",
        "datePublished": "2024-08-21T09:37:57.478Z",
        "dateReserved": "2023-11-23T08:40:08.326Z",
        "dateUpdated": "2024-08-23T13:04:21.616Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-48396 (GCVE-0-2023-48396)

    Vulnerability from nvd – Published: 2024-07-30 08:15 – Updated: 2025-02-13 17:18
    VLAI
    Title
    Apache SeaTunnel Web: Authentication bypass
    Summary
    Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version 1.0.1, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache SeaTunnel Web Affected: 1.0.0
    Create a notification for this product.
    apache seatunnel Affected: 1.0.0
        cpe:2.3:a:apache:seatunnel:1.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    jiahua huang / Joyh
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:seatunnel:1.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "seatunnel",
                "vendor": "apache",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-48396",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-30T13:28:08.790672Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-30T15:20:29.540Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:30:34.963Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/1tdxfjksx0vb9gtyt77wlr6rdcy1qwmw"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/07/30/1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache SeaTunnel Web",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "jiahua huang / Joyh"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Web Authentication vulnerability in Apache SeaTunnel.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSince the jwt key is hardcoded in the application, an attacker can forge\nany token to log in any user.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eAttacker can get\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003esecret key in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e/seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache SeaTunnel: 1.0.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.0.1, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Web Authentication vulnerability in Apache SeaTunnel.\u00a0Since the jwt key is hardcoded in the application, an attacker can forge\nany token to log in any user.\n\nAttacker can get\u00a0secret key in\u00a0/seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token.\nThis issue affects Apache SeaTunnel: 1.0.0.\n\nUsers are recommended to upgrade to version 1.0.1, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-30T08:20:06.207Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/1tdxfjksx0vb9gtyt77wlr6rdcy1qwmw"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/07/30/1"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache SeaTunnel Web: Authentication bypass",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-48396",
        "datePublished": "2024-07-30T08:15:33.731Z",
        "dateReserved": "2023-11-16T06:55:43.177Z",
        "dateUpdated": "2025-02-13T17:18:18.107Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-49198 (GCVE-0-2023-49198)

    Vulnerability from cvelistv5 – Published: 2024-08-21 09:37 – Updated: 2024-08-23 13:04
    VLAI
    Title
    Apache SeaTunnel Web: Arbitrary file read vulnerability
    Summary
    Mysql security vulnerability in Apache SeaTunnel. Attackers can read files on the MySQL server by modifying the information in the MySQL URL allowLoadLocalInfile=true&allowUrlInLocalInfile=true&allowLoadLocalInfileInPath=/&maxAllowedPacket=655360 This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version [1.0.1], which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-552 - Files or Directories Accessible to External Parties
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache SeaTunnel Web Affected: 1.0.0 (maven)
    Create a notification for this product.
    apache_software_foundation apache_seatunnel_web Affected: 1.0.0
        cpe:2.3:a:apache_software_foundation:apache_seatunnel_web:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    jiahua huang
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache_software_foundation:apache_seatunnel_web:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "apache_seatunnel_web",
                "vendor": "apache_software_foundation",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-49198",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-21T13:09:43.236377Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-21T13:13:52.118Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-21T14:03:03.767Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2024/08/21/2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.maven.apache.org/maven2",
              "defaultStatus": "unaffected",
              "product": "Apache SeaTunnel Web",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "jiahua huang"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Mysql security vulnerability in Apache SeaTunnel.\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAttackers can read files on the MySQL server by modifying the information in the MySQL URL\u003cbr\u003e\u003cbr\u003e allowLoadLocalInfile=true\u0026amp;allowUrlInLocalInfile=true\u0026amp;allowLoadLocalInfileInPath=/\u0026amp;maxAllowedPacket=655360\u003c/span\u003e\u003c/tt\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache SeaTunnel: 1.0.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version [1.0.1], which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Mysql security vulnerability in Apache SeaTunnel.\n\nAttackers can read files on the MySQL server by modifying the information in the MySQL URL\n\n allowLoadLocalInfile=true\u0026allowUrlInLocalInfile=true\u0026allowLoadLocalInfileInPath=/\u0026maxAllowedPacket=655360\nThis issue affects Apache SeaTunnel: 1.0.0.\n\nUsers are recommended to upgrade to version [1.0.1], which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "important"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-552",
                  "description": "CWE-552 Files or Directories Accessible to External Parties",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-08-23T13:04:21.616Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/48j9f1nsn037mgzc4j9o51nwglb1s08h"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache SeaTunnel Web: Arbitrary file read vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-49198",
        "datePublished": "2024-08-21T09:37:57.478Z",
        "dateReserved": "2023-11-23T08:40:08.326Z",
        "dateUpdated": "2024-08-23T13:04:21.616Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-48396 (GCVE-0-2023-48396)

    Vulnerability from cvelistv5 – Published: 2024-07-30 08:15 – Updated: 2025-02-13 17:18
    VLAI
    Title
    Apache SeaTunnel Web: Authentication bypass
    Summary
    Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version 1.0.1, which fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Apache Software Foundation Apache SeaTunnel Web Affected: 1.0.0
    Create a notification for this product.
    apache seatunnel Affected: 1.0.0
        cpe:2.3:a:apache:seatunnel:1.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    jiahua huang / Joyh
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:apache:seatunnel:1.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "seatunnel",
                "vendor": "apache",
                "versions": [
                  {
                    "status": "affected",
                    "version": "1.0.0"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 9.1,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-48396",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-30T13:28:08.790672Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-30T15:20:29.540Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:30:34.963Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://lists.apache.org/thread/1tdxfjksx0vb9gtyt77wlr6rdcy1qwmw"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/07/30/1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Apache SeaTunnel Web",
              "vendor": "Apache Software Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "jiahua huang / Joyh"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Web Authentication vulnerability in Apache SeaTunnel.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSince the jwt key is hardcoded in the application, an attacker can forge\nany token to log in any user.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eAttacker can get\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003esecret key in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e/seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003cp\u003eThis issue affects Apache SeaTunnel: 1.0.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.0.1, which fixes the issue.\u003c/p\u003e"
                }
              ],
              "value": "Web Authentication vulnerability in Apache SeaTunnel.\u00a0Since the jwt key is hardcoded in the application, an attacker can forge\nany token to log in any user.\n\nAttacker can get\u00a0secret key in\u00a0/seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token.\nThis issue affects Apache SeaTunnel: 1.0.0.\n\nUsers are recommended to upgrade to version 1.0.1, which fixes the issue."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "text": "moderate"
                },
                "type": "Textual description of severity"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-30T08:20:06.207Z",
            "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
            "shortName": "apache"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://lists.apache.org/thread/1tdxfjksx0vb9gtyt77wlr6rdcy1qwmw"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/07/30/1"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Apache SeaTunnel Web: Authentication bypass",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "assignerShortName": "apache",
        "cveId": "CVE-2023-48396",
        "datePublished": "2024-07-30T08:15:33.731Z",
        "dateReserved": "2023-11-16T06:55:43.177Z",
        "dateUpdated": "2025-02-13T17:18:18.107Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }