Inlong
CVE-2023-27296
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.
It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability.
This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it.
[1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html
https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html
[2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422
AnalysisAI
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Technical ContextAI
This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 Affected products include: Apache Inlong. Version information: through 1.5.0..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.5.0 through 1.9.0, which could
Critical deserialization of untrusted data vulnerability in Apache InLong versions 1.13.0 through 2.0.x that allows auth
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.10.0 through 1.12.0, which coul
Deserialization of Untrusted Data vulnerability in Apache InLong.7.0 through 1.11.0, the attackers can bypass using mali
Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.4.0 through 1.8.0, some sensitive params
Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Fo
Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.1.0 through 1.6.0. Rated critical s
Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.2.0 through 1.6.0. Rated criti
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.1.0 through 1.5.0. Rated cri
Deserialization of Untrusted Data vulnerability in Apache InLong.8.0 through 1.10.0, the attackers can use the specific
Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.4.0 throug
Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.4.0 through 1.6.0. Rated criti
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today