[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2023-37924: Apache Submarine: SQL injection from unauthorized login
From: Xiang Chen <cdmikechen () apache ! org>
Date: 2023-11-22 0:15:24
Message-ID: 85222bd6-c08d-1e2f-69da-102f42610736 () apache ! org
[Download RAW message or body]
Severity: critical
Affected versions:
- Apache Submarine 0.7.0 before 0.8.0
Description:
Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs \
in. This issue can result in unauthorized login. Now we have fixed this issue and now user must \
have the correct login to access workbench. This issue affects Apache Submarine: from 0.7.0 \
before 0.8.0. We recommend that all submarine users with 0.7.0 upgrade to 0.8.0, which not \
only fixes the issue, supports the oidc authentication mode, but also removes the case of \
unauthenticated logins. If using the version lower than 0.8.0 and not want to upgrade, you can \
try cherry-pick PR https://github.com/apache/submarine/pull/1037 \
https://github.com/apache/submarine/pull/1054 and rebuild the submarine-server image to fix \
this.
This issue is being tracked as SUBMARINE-1361
Credit:
lengjingqicai(棱镜七彩开源安全 究院) (reporter)
References:
https://issues.apache.org/jira/browse/SUBMARINE-1361
https://github.com/apache/submarine/pull/1037
https://submarine.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-37924
https://issues.apache.org/jira/browse/SUBMARINE-1361
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic