Lucene search

GitHub Advisory DatabaseGHSA-CRWJ-2R3C-GX2G

HistoryJan 03, 2024 - 12:30 p.m.

Apache InLong Manager Arbitrary File Read Vulnerability

2024-01-0312:30:21

CWE-502

GitHub Advisory Database

github.com

apache inlong

arbitrary file read

vulnerability

deserialization

untrusted data

upgrade

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.7%

JSON

Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong’s 1.10.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/9331

Affected configurations

Vulners

Node

org.apache.inlong\managerMatchpojo

CPENameOperatorVersion
org.apache.inlong:manager-pojolt1.10.0

CPE	Name	Operator	Version
	org.apache.inlong:manager-pojo	lt	1.10.0

References

www.openwall.com/lists/oss-security/2024/01/03/2

github.com/advisories/GHSA-crwj-2r3c-gx2g

github.com/apache/inlong/commit/d674bfe28416aff728eabafc1f6b8bb9ba5a5b8e

github.com/apache/inlong/pull/9331

lists.apache.org/thread/g0yjmtjqvp8bnf1j0tdsk0nhfozjdjno

nvd.nist.gov/vuln/detail/CVE-2023-51785

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.7%

JSON

Related for GHSA-CRWJ-2R3C-GX2G