CVE-2022-40955 – org.apache.inlong:inlong-common

Package

Manager: maven
Name: org.apache.inlong:inlong-common
Vulnerable Version: >=0 <1.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03656 pctl0.87408

Details

Apache InLong vulnerable to Deserialization of Untrusted Data In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.

Metadata

Created: 2022-09-21T00:00:46Z
Modified: 2022-09-21T21:11:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-26m4-qjp9-xmc6/GHSA-26m4-qjp9-xmc6.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-26m4-qjp9-xmc6
Finding: F096
Auto approve: 1