Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrLujiefsiB7D89157-7CAB-4192-8003-D5BFEE2246F6
HistoryApr 17, 2023 - 8:51 a.m.

attackers can change the immutable name and type of cluster

2023-04-1708:51:45
lujiefsi
www.huntr.dev
5
proof of concept
admin
user1
hijack
burpsuit
request content
bugbounty
clustertags
incharges
type
immutable
name

EPSS

0.002

Percentile

61.1%

JSON

Proof of Concept

1 admin creates a cluster

2 admin adds user1 as one owner

3 attack login as user1

4 user1 edit the the cluster

5 user1 finds that the name and type can not be changed.

6 user1 still edits the cluster and using the burpsuit to hijack the request

7 the request content can be like

{“name”:“cluster1”,“type”:“AGENT”,“clusterTags”:“biaoqian3”,“inCharges”:“admin,user1”,“description”:“tst”,“id”:3,“version”:1}

8 change the name as cluster2(we can also change type)

9 result shows that the the name was successfully changed as te2

Related

veracode 1
cvelist 1
osv 2
prion 1
nvd 1
cnvd 1
github 1
cve 1
veracode
veracode
Exposure Of Resources To Wrong Sphere
2023-05-26 02:37:13
cvelist
cvelist
CVE-2023-31103 Apache InLong: Attackers can change the immutable name and type of cluster
2023-05-22 15:13:30
osv
osv
CVE-2023-31103
2023-05-22 16:15:10
Apache InLong Exposure of Resource to Wrong Sphere vulnerability
2023-07-06 21:14:59
prion
prion
Design/Logic Flaw
2023-05-22 16:15:00
nvd
nvd
CVE-2023-31103
2023-05-22 16:15:10
cnvd
cnvd
Apache InLong Security Bypass Vulnerability (CNVD-2023-42960)
2023-05-28 00:00:00
github
github
Apache InLong Exposure of Resource to Wrong Sphere vulnerability
2023-07-06 21:14:59
cve
cve
CVE-2023-31103
2023-05-22 16:15:10

EPSS

0.002

Percentile

61.1%

JSON
Related for B7D89157-7CAB-4192-8003-D5BFEE2246F6
veracode1cvelist1osv2prion1nvd1cnvd1github1cve1