Description
Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version 1.0.1, which fixes the issue.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2024/07/30/1
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/1tdxfjksx0vb9gtyt77wlr6rdcy1qwmw
Scores
CVSS v3
9.1
EPSS
0.0033
EPSS Percentile
55.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-290
Status
published
Products (2)
apache/seatunnel
1.0.0
org.apache.seatunnel/seatunnel-web
0 - 1.0.1Maven
Published
Jul 30, 2024
Tracked Since
Feb 18, 2026