Home > Vulnerability Database > CVE-2023-48396

Mend.io Vulnerability Database

CVE-2023-48396

Good to know:

Date: July 30, 2024

Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version 1.0.1, which fixes the issue.

Language: Java

Severity Score

9.1

Related Resources (6)

Url: http://www.openwall.com/lists/oss-security/2024/07/30/1

Url: https://github.com/apache/seatunnel-web/commit/4a37ebfa4b57e177bf7857cf39a6dbdc00f75f78

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-48396

Url: https://lists.apache.org/thread/1tdxfjksx0vb9gtyt77wlr6rdcy1qwmw

Url: https://github.com/apache/seatunnel

Url: https://www.mend.io/vulnerability-database/CVE-2023-48396

Severity Score

9.1

Weakness Type (CWE)

Authentication Bypass by Spoofing

CWE-290

Top Fix

Upgrade Version

Upgrade to version org.apache.seatunnel:seatunnel-app:1.0.1

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-48396

Good to know:

Date: July 30, 2024

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?