CVE-2023-27296

HIGH8.8EPSS 0.59%

Apache InLong vulnerable to JDBC Deserialization of Untrusted Data

Published: 3/27/2023Modified: 11/8/2023

Description

Apache InLong versions from 1.1.0 through 1.5.0 are vulnerable to Java Database Connectivity (JDBC) deserialization of untrusted data from the MySQL JDBC URL in MySQLDataNode. It could be triggered by authenticated users of InLong. This has been patched in version 1.6.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick the [patch](https://github.com/apache/inlong/pull/7422) to solve it.

Affected packages (1)

Maven/org.apache.inlong:inlong-manager>= 1.1.0, < 1.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-27296
PATCHhttps://github.com/apache/inlong
WEBhttps://github.com/apache/inlong/pull/7422
WEBhttps://lists.apache.org/thread/xbvtjw9bwzgbo9fp1by8o3p49nf59xzt
WEBhttps://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html