CVE-2023-31453

Name of the Vulnerable Software and Affected Versions Apache InLong versions 1.2.0 through 1.6.0

Description The issue is related to incorrect permission assignment for critical resources in Apache InLong, allowing a remote attacker to impact the integrity and availability of protected information. Specifically, the attacker can delete others' subscriptions, even if they are not the owner of the deleted subscription.

Recommendations For Apache InLong versions 1.2.0 through 1.6.0, upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7949 to solve the issue. As a temporary workaround, consider restricting access to subscription management features to minimize the risk of exploitation.