Headline
CVE-2023-37924: [SUBMARINE-1361] Fix Submarine SQL injection vulnerability
Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. This issue can result in unauthorized login. Now we have fixed this issue and now user must have the correct login to access workbench. This issue affects Apache Submarine: from 0.7.0 before 0.8.0. We recommend that all submarine users with 0.7.0 upgrade to 0.8.0, which not only fixes the issue, supports the oidc authentication mode, but also removes the case of unauthenticated logins. If using the version lower than 0.8.0 and not want to upgrade, you can try cherry-pick PR https://github.com/apache/submarine/pull/1037 https://github.com/apache/submarine/pull/1054 and rebuild the submarine-server image to fix this.
Log inSkip to main contentSkip to sidebar
Dashboards
Projects
Issues
Help
- Jira Core help
- Keyboard Shortcuts
- About Jira
- Jira Credits
Log In
Public signup for this instance is disabled. Go to our Self serve sign up page to request an account.
- Apache Submarine
- SUBMARINE-1361
Log In
Export
XMLWordPrintableJSON
Details
**Type: ** Bug
Status: Resolved
**Priority: ** Critical
Resolution: Fixed
Affects Version/s: 0.7.0, 0.8.0
Fix Version/s: 0.8.0
Component/s: Backend Server
Labels:
- pull-request-available
Target Version:
0.8.0
Description
Currently a SQL injection vulnerability has been checked in submarine and the relevant part of the like statement in mybatis needs to be fixed.
Attachments
Issue Links
links to
GitHub Pull Request #1037
Activity
People
Assignee:
cdmikechen
Reporter:
cdmikechen
Votes:
0 Vote for this issue
Watchers:
1 Start watching this issue
Dates
Created:
07/Jan/23 01:23
Updated:
16/Jan/23 10:03
Resolved:
16/Jan/23 10:03
Related news
Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. This issue can result in unauthorized login. Now we have fixed this issue and now user must have the correct login to access workbench. This issue affects Apache Submarine: from 0.7.0 before 0.8.0. We recommend that all submarine users with 0.7.0 upgrade to 0.8.0, which not only fixes the issue, supports the oidc authentication mode, but also removes the case of unauthenticated logins. If using the version lower than 0.8.0 and not want to upgrade, you can try cherry-pick PR https://github.com/apache/submarine/pull/1037 https://github.com/apache/submarine/pull/1054 and rebuild the submarine-server image to fix this.