CVE-2023-27296 – org.apache.inlong:inlong-manager

Package

Manager: maven
Name: org.apache.inlong:inlong-manager
Vulnerable Version: >=1.1.0 <1.6.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00204 pctl0.42698

Details

Apache InLong vulnerable to JDBC Deserialization of Untrusted Data Apache InLong versions from 1.1.0 through 1.5.0 are vulnerable to Java Database Connectivity (JDBC) deserialization of untrusted data from the MySQL JDBC URL in MySQLDataNode. It could be triggered by authenticated users of InLong. This has been patched in version 1.6.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick the [patch](https://github.com/apache/inlong/pull/7422) to solve it.

Metadata

Created: 2023-03-27T15:30:16Z
Modified: 2023-03-31T16:08:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-gpqq-59rp-3c3w/GHSA-gpqq-59rp-3c3w.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-gpqq-59rp-3c3w
Finding: F096
Auto approve: 1