CVE-2022-40955

2022-09-2014:15:09

CWE-502

[email protected]

web.nvd.nist.gov

cve-2022-40955

apache inlong

remote code execution

security vulnerability

nvd

apache inlong 1.3.0

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.3%

JSON

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.

Affected configurations

Vulners

NVD

Node

apacheinlongRange≤1.3.0

CPENameOperatorVersion
apache:inlongapache inlonglt1.3.0

CPE	Name	Operator	Version
apache:inlong	apache inlong	lt	1.3.0

CNA Affected

[
  {
    "product": "Apache InLong",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "1.3.0",
        "status": "affected",
        "version": "Apache InLong",
        "versionType": "custom"
      }
    ]
  }
]