Hi team, I was looking at this issue and noticed that when resetting passwords you are using an hardcoded value: https://github.com/apache/incubator-streampark/blob/dev/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/impl/UserServiceImpl.java#L149-L162
This is not ideal as it may allow an attacker to hijack an account when it gets reseted. Best, Louis On Tue, Apr 4, 2023 at 8:58 PM Huajie Wang <[email protected]> wrote: > Severity: moderate > > Description: > > Logic error causing any account reset in Apache StreamPark for reporting > this issue > > References: > > https://streampark.incubator.apache.org > https://www.cve.org/CVERecord?id=CVE-2022-46365 > >
