CVE-2024-26579
CRITICAL9.8EPSS 0.54%Apache Inlong Deserialization of Untrusted Data vulnerability
Published: 5/8/2024Modified: 5/4/2026
Description
Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.7.0 through 1.11.0. The attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2] https://github.com/apache/inlong/pull/9707
Affected packages (1)
- Maven/org.apache.inlong:manager-pojo>= 1.7.0, < 1.12.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://github.com/advisories/GHSA-fgh3-pwmp-3qw3
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-26579
- PATCHhttps://github.com/apache/inlong
- WEBhttps://github.com/apache/inlong/commit/23e3e00cae1fd120b089fca54f7440945dfe11a4
- WEBhttps://github.com/apache/inlong/commit/cdf616670942fec7d09fae2452e2ea215205dd1d
- WEBhttps://github.com/apache/inlong/pull/9694
- WEBhttps://github.com/apache/inlong/pull/9707
- WEBhttps://lists.apache.org/thread/d2hndtvh6bll4pkl91o2oqxyynhr54k3
- WEBhttp://www.openwall.com/lists/oss-security/2024/05/09/2