Lucene search

[email protected]NVD:CVE-2022-40955

HistorySep 20, 2022 - 2:15 p.m.

CVE-2022-40955

2022-09-2014:15:09

CWE-502

[email protected]

web.nvd.nist.gov

apache inlong

mysql

jdbc

deserialization

rce

upgrade

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

70.2%

JSON

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.

Affected configurations

Nvd

Node

apacheinlongRange<1.3.0

VendorProductVersionCPE
apacheinlong*cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	inlong	*	cpe:2.3:a:apache:inlong::::::::

References

www.openwall.com/lists/oss-security/2022/09/22/5

lists.apache.org/thread/r1r34y7bchrpmp9jhfdoohzdmk7pj1q1

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

70.2%

JSON

Related for NVD:CVE-2022-40955

cve1 veracode1 osv1 cnvd1 prion1 cvelist1 github1