CVE-2023-30465

2023-04-1115:15:10

CWE-89

[email protected]

web.nvd.nist.gov

168

cve-2023-30465

apache software foundation

sql injection

vulnerability

upgrade

security advisory

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.8 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

56.2%

JSON

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the “orderType” parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the user with ID 1 from the “user” table, one character at a time. Users are advised to upgrade to Apache InLong’s 1.6.0 or cherry-pick [1] to solve it.

https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html

[1] https://github.com/apache/inlong/issues/7529 https://github.com/apache/inlong/issues/7529

Affected configurations

Vulners

NVD

Node

apacheinlongRange≤1.5.0

CPENameOperatorVersion
apache:inlongapache inlongeq1.4.0
apache:inlongapache inlongeq1.5.0

CPE	Name	Operator	Version
apache:inlong	apache inlong	eq	1.4.0
apache:inlong	apache inlong	eq	1.5.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache InLong",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.5.0",
        "status": "affected",
        "version": "1.4.0",
        "versionType": "semver"
      }
    ]
  }
]