← Retour aux CVEs

CVE-2023-37924

CRITICAL

9.8

Description

Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. This issue can result in unauthorized login. Now we have fixed this issue and now user must have the correct login to access workbench. This issue affects Apache Submarine: from 0.7.0 before 0.8.0. We recommend that all submarine users with 0.7.0 upgrade to 0.8.0, which not only fixes the issue, supports the oidc authentication mode, but also removes the case of unauthenticated logins. If using the version lower than 0.8.0 and not want to upgrade, you can try cherry-pick PR https://github.com/apache/submarine/pull/1037 https://github.com/apache/submarine/pull/1054 and rebuild the submarine-server image to fix this.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie11/22/2023

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

Produits affectes

apache:submarine

Faiblesses (CWE)

CWE-89

References

https://github.com/apache/submarine/pull/1037(security@apache.org)

https://issues.apache.org/jira/browse/SUBMARINE-1361(security@apache.org)

https://lists.apache.org/thread/g99h773vd49n1wyghdq1llv2f83w1b3r(security@apache.org)

https://github.com/apache/submarine/pull/1037(af854a3a-2127-422b-91ae-364da2661108)

https://issues.apache.org/jira/browse/SUBMARINE-1361(af854a3a-2127-422b-91ae-364da2661108)

https://lists.apache.org/thread/g99h773vd49n1wyghdq1llv2f83w1b3r(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.