CVE-2023-31098 - Vulnerability Details - OpenCVE

Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0.

When users change their password to a simple password (with any character or
symbol), attackers can easily guess the user's password and access the account.

Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 https://github.com/apache/inlong/pull/7805 to solve it.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00169.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Apache	Inlong

Configuration 1 [-]

cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2160	Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0. When users change their password to a simple password (with any character or symbol), attackers can easily guess the user's password and access the account. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 https://github.com/apache/inlong/pull/7805 to solve it.
Github GHSA	GHSA-w3wr-gmwf-r333	Apache InLong has Weak Password Requirements in Apache InLong

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.apache.org/thread/1fvloc3no1gbffzrcsx9ltsg08wr2d1w

History

Fri, 11 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-05-22T15:31:53.989Z

Updated: 2024-10-11T13:59:56.171Z

Reserved: 2023-04-24T06:13:00.131Z

Link: CVE-2023-31098

Vulnrichment

Updated: 2024-08-02T14:45:25.732Z

NVD

Status : Modified

Published: 2023-05-22T16:15:10.150

Modified: 2024-11-21T08:01:24.643

Link: CVE-2023-31098

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-31098", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-04-24T06:13:00.131Z", "datePublished": "2023-05-22T15:31:53.989Z", "dateUpdated": "2024-10-11T13:59:56.171Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache InLong", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.6.0", "status": "affected", "version": "1.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "lujie.ac.cn"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.<p>This issue affects Apache InLong: from 1.1.0 through 1.6.0. \n\n<span style=\"background-color: rgb(255, 255, 255);\">When users change their password to a simple password (with any character or\nsymbol), attackers can easily guess the user's password and access the account.</span></p><p>Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/7805\">https://github.com/apache/inlong/pull/7805</a> to solve it.<br></p>"}], "value": "Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0.\u00a0\n\nWhen users change their password to a simple password (with any character or\nsymbol), attackers can easily guess the user's password and access the account.\n\nUsers are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 https://github.com/apache/inlong/pull/7805 to solve it.\n\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-521", "description": "CWE-521 Weak Password Requirements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-05-22T15:31:53.989Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1fvloc3no1gbffzrcsx9ltsg08wr2d1w"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache InLong: Weak Password Implementation in InLong", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:25.732Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/1fvloc3no1gbffzrcsx9ltsg08wr2d1w"}]}, {"affected": [{"vendor": "apache", "product": "inlong", "cpes": ["cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.1.0", "status": "affected", "lessThanOrEqual": "1.6.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-11T13:57:59.466962Z", "id": "CVE-2023-31098", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T13:59:56.171Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/1fvloc3no1gbffzrcsx9ltsg08wr2d1w", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:45:25.732Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-31098", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-11T13:57:59.466962Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "inlong", "versions": [{"status": "affected", "version": "1.1.0", "versionType": "custom", "lessThanOrEqual": "1.6.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-11T13:59:03.416Z"}}], "cna": {"title": "Apache InLong: Weak Password Implementation in InLong", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "lujie.ac.cn"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache InLong", "versions": [{"status": "affected", "version": "1.1.0", "versionType": "semver", "lessThanOrEqual": "1.6.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/1fvloc3no1gbffzrcsx9ltsg08wr2d1w", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0.\u00a0\n\nWhen users change their password to a simple password (with any character or\nsymbol), attackers can easily guess the user's password and access the account.\n\nUsers are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 https://github.com/apache/inlong/pull/7805 to solve it.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.<p>This issue affects Apache InLong: from 1.1.0 through 1.6.0. \n\n<span style=\"background-color: rgb(255, 255, 255);\">When users change their password to a simple password (with any character or\nsymbol), attackers can easily guess the user's password and access the account.</span></p><p>Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/7805\">https://github.com/apache/inlong/pull/7805</a> to solve it.<br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-521", "description": "CWE-521 Weak Password Requirements"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-05-22T15:31:53.989Z"}}}, "cveMetadata": {"cveId": "CVE-2023-31098", "state": "PUBLISHED", "dateUpdated": "2024-10-11T13:59:56.171Z", "dateReserved": "2023-04-24T06:13:00.131Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-05-22T15:31:53.989Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*", "matchCriteriaId": "EECE4FCB-6C96-4EB4-B9CD-44A78D33313C", "versionEndIncluding": "1.6.0", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0.\u00a0\n\nWhen users change their password to a simple password (with any character or\nsymbol), attackers can easily guess the user's password and access the account.\n\nUsers are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 https://github.com/apache/inlong/pull/7805 to solve it.\n\n\n"}], "id": "CVE-2023-31098", "lastModified": "2024-11-21T08:01:24.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-05-22T16:15:10.150", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1fvloc3no1gbffzrcsx9ltsg08wr2d1w"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1fvloc3no1gbffzrcsx9ltsg08wr2d1w"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-521"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-521"}], "source": "nvd@nist.gov", "type": "Primary"}]}