CVE-2024-26579
CRITICAL9.8EPSS 0.54%Apache Inlong Deserialization of Untrusted Data vulnerability
發布日:2024/5/8修改日:2026/5/4
描述
Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.7.0 through 1.11.0. The attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2] https://github.com/apache/inlong/pull/9707
受影響套件(1)
- Maven/org.apache.inlong:manager-pojo>= 1.7.0, < 1.12.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(9)
- ADVISORYhttps://github.com/advisories/GHSA-fgh3-pwmp-3qw3
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-26579
- PATCHhttps://github.com/apache/inlong
- WEBhttps://github.com/apache/inlong/commit/23e3e00cae1fd120b089fca54f7440945dfe11a4
- WEBhttps://github.com/apache/inlong/commit/cdf616670942fec7d09fae2452e2ea215205dd1d
- WEBhttps://github.com/apache/inlong/pull/9694
- WEBhttps://github.com/apache/inlong/pull/9707
- WEBhttps://lists.apache.org/thread/d2hndtvh6bll4pkl91o2oqxyynhr54k3
- WEBhttp://www.openwall.com/lists/oss-security/2024/05/09/2