Apache InLong Deserialization of Untrusted Data Vulnerability

2023-07-0621:14:59

Google

osv.dev

apache inlong

vulnerability

data deserialization

software foundation

upgrade

security issue

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.002 Low

EPSS

Percentile

53.6%

JSON

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers would bypass the autoDeserialize option filtering by adding blanks. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7674 to solve it.

CPENameOperatorVersion
org.apache.inlong:manager-pojoeq1.4.0
org.apache.inlong:manager-commoneq1.5.0
org.apache.inlong:manager-commoneq1.6.0
org.apache.inlong:manager-pojoeq1.5.0
org.apache.inlong:manager-pojoeq1.6.0
org.apache.inlong:manager-commoneq1.4.0

Name	Operator	Version
org.apache.inlong:manager-pojo	eq	1.4.0
org.apache.inlong:manager-common	eq	1.5.0
org.apache.inlong:manager-common	eq	1.6.0
org.apache.inlong:manager-pojo	eq	1.5.0
org.apache.inlong:manager-pojo	eq	1.6.0
org.apache.inlong:manager-common	eq	1.4.0