Deserialization Of Untrusted Data

2023-10-2309:42:50

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

org.apache.inlong

deserialization of untrusted data

url parameters

code execution

sql injection

unauthorized data access

manager-pojo

mysqlsinkdto

improper sanitizing

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

45.7%

JSON

org.apache.inlong: manager-pojo is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to filterSensitive function in MySQLSinkDTO.java not properly sanitizing whitespace characters, especially the horizontal tab \t, in URL parameters, which allows these characters to bypass parameter filtering. This allows attackers to craft malicious parameters and potentially lead to several security risks like Code execution, SQL injection or Unauthorized data access.