CVE-2023-27296

HIGH8.8EPSS 0.59%

Apache InLong vulnerable to JDBC Deserialization of Untrusted Data

發布日:2023/3/27修改日:2023/11/8

描述

Apache InLong versions from 1.1.0 through 1.5.0 are vulnerable to Java Database Connectivity (JDBC) deserialization of untrusted data from the MySQL JDBC URL in MySQLDataNode. It could be triggered by authenticated users of InLong. This has been patched in version 1.6.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick the [patch](https://github.com/apache/inlong/pull/7422) to solve it.

受影響套件(1)

Maven/org.apache.inlong:inlong-manager>= 1.1.0, < 1.6.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-27296
PATCHhttps://github.com/apache/inlong
WEBhttps://github.com/apache/inlong/pull/7422
WEBhttps://lists.apache.org/thread/xbvtjw9bwzgbo9fp1by8o3p49nf59xzt
WEBhttps://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html