CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2023-43668 – Apache InLong: Jdbc Connection Security Bypass in InLong
https://notcve.org/view.php?id=CVE-2023-43668
Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... . Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8604 Vulnerabilidad de Omisión de Autorización a Través de la Clave Controlada por el Usuario en Apache InLong. Este problema afecta a Apache InLong: desde 1.4.0 hasta 1.8.0, se omitirán algunas comprobaciones de parámetros confidenciales, como ""autoDeserizalize"", ""allowLoadLocalInfile"".... Se recomienda a los usuarios actualizar a Apache InLong 1.9.0 o al cherry-pick [1] para resolverlo. [1] https://github.com/apache/inlong/pull/8604 • https://lists.apache.org/thread/16gtk7rpdm1rof075ro83fkrnhbzn5sh • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-35088 – Apache InLong: SQL injection in audit endpoint
https://notcve.org/view.php?id=CVE-2023-35088
Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8198 • http://seclists.org/fulldisclosure/2023/Jul/43 http://www.openwall.com/lists/oss-security/2023/07/25/4 https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34434 – Apache InLong: JDBC URL bypassing by allowLoadLocalInfileInPath param
https://notcve.org/view.php?id=CVE-2023-34434
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130 . • http://seclists.org/fulldisclosure/2023/Jul/43 http://www.openwall.com/lists/oss-security/2023/07/25/3 https://lists.apache.org/thread/7f1o71w5r732cspltmtdydn01gllf4jo • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34189 – Apache InLong: General user can delete and update process
https://notcve.org/view.php?id=CVE-2023-34189
Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could use general users to delete and update the process, which only the admin can operate occurrences. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8109 to solve it. • http://www.openwall.com/lists/oss-security/2023/07/25/2 https://lists.apache.org/thread/smxqyx43hxjvzv4w71n2n3rfho9p378s • CWE-668: Exposure of Resource to Wrong Sphere •