Lucene search

GitHub Advisory DatabaseGHSA-26M4-QJP9-XMC6

HistorySep 21, 2022 - 12:00 a.m.

Apache InLong vulnerable to Deserialization of Untrusted Data

2022-09-2100:00:46

CWE-502

GitHub Advisory Database

github.com

apache inlong

vulnerability

data deserialization

remote code execution

mysql

upgrade

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

70.2%

JSON

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.

Affected configurations

Vulners

Node

org.apache.inlonginlong-commonRange<1.3.0

VendorProductVersionCPE
org.apache.inlonginlong-common*cpe:2.3:a:org.apache.inlong:inlong-common:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.inlong	inlong-common	*	cpe:2.3:a:org.apache.inlong:inlong-common::::::::

References

www.openwall.com/lists/oss-security/2022/09/22/5

github.com/advisories/GHSA-26m4-qjp9-xmc6

lists.apache.org/thread/r1r34y7bchrpmp9jhfdoohzdmk7pj1q1

nvd.nist.gov/vuln/detail/CVE-2022-40955

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

70.2%

JSON

Related for GHSA-26M4-QJP9-XMC6