PT-2024-13610 · Apache · Apache Seatunnel
Jiahua Huang
+1
·
Published
2024-07-30
·
Updated
2025-07-10
·
CVE-2023-48396
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Apache SeaTunnel version 1.0.0
Description
The issue is related to a Web Authentication vulnerability in Apache SeaTunnel, where the jwt key is hardcoded in the application. This allows an attacker to forge any token and log in as any user. The attacker can obtain the secret key from
/seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token.Recommendations
For Apache SeaTunnel version 1.0.0, users are recommended to upgrade to version 1.0.1, which fixes the issue. As a temporary workaround, consider restricting access to the
/seatunnel-server/seatunnel-app/src/main/resources/application.yml file to prevent attackers from obtaining the secret key.Fix
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Seatunnel