Lucene search

ApacheCVE-2023-27296

HistoryMar 27, 2023 - 3:15 p.m.

CVE-2023-27296

2023-03-2715:15:08

CWE-502

apache

web.nvd.nist.gov

cve-2023-27296

apache software foundation

apache inlong

deserialization vulnerability

untrusted data

authentication vulnerability

security patch

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

44.4%

JSON

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.

It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability.

This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong’s latest version or cherry-pick [2] to solve it.

[1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html

https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html

[2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422

Affected configurations

Nvd

Vulners

Node

apacheinlongRange1.1.0–1.5.0

VendorProductVersionCPE
apacheinlong*cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	inlong	*	cpe:2.3:a:apache:inlong::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache InLong",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.5.0",
        "status": "affected",
        "version": "1.1.0",
        "versionType": "semver"
      }
    ]
  }
]