Lucene search

[email protected]NVD:CVE-2023-35088

HistoryJul 25, 2023 - 8:15 a.m.

CVE-2023-35088

2023-07-2508:15:10

CWE-89

[email protected]

web.nvd.nist.gov

cve-2023-35088

sql injection

apache inlong

security vulnerability

upgrade advisory

software foundation

1.8.0

apache inlong's 1.8.0

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.016

Percentile

87.8%

JSON

Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’) vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.
In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks.
Users are advised to upgrade to Apache InLong’s 1.8.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/8198

Affected configurations

Nvd

Node

apacheinlongRange1.4.0–1.7.0

VendorProductVersionCPE
apacheinlong*cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	inlong	*	cpe:2.3:a:apache:inlong::::::::

References

seclists.org/fulldisclosure/2023/Jul/43

www.openwall.com/lists/oss-security/2023/07/25/4

lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.016

Percentile

87.8%

JSON

Related for NVD:CVE-2023-35088

github1 prion1 osv2 cvelist1 veracode1 cve1