Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user.

Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0.

Users are recommended to upgrade to version 1.0.1, which fixes the issue.

Affected Packages

Maven org.apache.seatunnel:seatunnel-web

Affected versions: 0 (fixed in 1.0.1)

Related CVEs

CVE-2023-48396

Key Information

GHSA ID

GHSA-cp2c-x2pc-fph7

Published

July 30, 2024 9:32 AM

Last Modified

July 30, 2024 4:30 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.seatunnel:seatunnel-web

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 24, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.