Lucene search

[email protected]NVD:CVE-2024-26580

HistoryMar 06, 2024 - 12:15 p.m.

CVE-2024-26580

2024-03-0612:15:45

CWE-502

[email protected]

web.nvd.nist.gov

apache inlong

deserialization vulnerability

arbitrary file read

upgrade

security fix

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.4

Confidence

High

EPSS

Percentile

9.0%

JSON

Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can

use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong’s 1.11.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/9673

References

www.openwall.com/lists/oss-security/2024/03/06/1

lists.apache.org/thread/xvomf66l58x4dmoyzojflvx52gkzcdmk

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.4

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for NVD:CVE-2024-26580

cvelist1 cnvd1 veracode1 vulnrichment1 cve1 github1 osv1 prion1