Lucene search

GitHub Advisory DatabaseGHSA-9XG9-HH45-XCM6

HistoryJan 03, 2024 - 12:30 p.m.

Apache InLong Manager Remote Code Execution vulnerability

2024-01-0312:30:21

CWE-94

GitHub Advisory Database

github.com

apache inlong

remote code execution

vulnerability

upgrade

code injection

software

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.002

Percentile

60.5%

JSON

Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong’s 1.10.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/9329

Affected configurations

Vulners

Node

org.apache.inlongmanager-pojoRange1.5.0–1.10.0

VendorProductVersionCPE
org.apache.inlongmanager-pojo*cpe:2.3:a:org.apache.inlong:manager-pojo:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.inlong	manager-pojo	*	cpe:2.3:a:org.apache.inlong:manager-pojo::::::::

References

www.openwall.com/lists/oss-security/2024/01/03/1

github.com/advisories/GHSA-9xg9-hh45-xcm6

github.com/apache/inlong/commit/1607837be28438c0ccae8da15afb653f2afed090

github.com/apache/inlong/pull/9329

lists.apache.org/thread/4nxbyl6mh5jgh0plk0qposbxwn6w9h8j

nvd.nist.gov/vuln/detail/CVE-2023-51784

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

High

EPSS

0.002

Percentile

60.5%

JSON

Related for GHSA-9XG9-HH45-XCM6