hi Louis: Reseted password is hardcoded which may caus security issues, We have started to fixed this issue and will generate a random password to return. Look forward to hearing your feedback.
Best, Huajie Wang Louis Nyffenegger <[email protected]> 于2023年4月25日周二 08:43写道: > Hi team, > > I was looking at this issue and noticed that when resetting passwords you > are using an hardcoded value: > > https://github.com/apache/incubator-streampark/blob/dev/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/service/impl/UserServiceImpl.java#L149-L162 > > This is not ideal as it may allow an attacker to hijack an account when it > gets reseted. > > Best, > Louis > > On Tue, Apr 4, 2023 at 8:58 PM Huajie Wang <[email protected]> wrote: > > > Severity: moderate > > > > Description: > > > > Logic error causing any account reset in Apache StreamPark for reporting > > this issue > > > > References: > > > > https://streampark.incubator.apache.org > > https://www.cve.org/CVERecord?id=CVE-2022-46365 > > > > >
