CVE-2023-30465

2023-04-1115:15:10

CWE-89

apache

web.nvd.nist.gov

175

cve-2023-30465

apache software foundation

sql injection

vulnerability

upgrade

security advisory

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.8

Confidence

High

EPSS

0.002

Percentile

56.0%

JSON

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the “orderType” parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the user with ID 1 from the “user” table, one character at a time. Users are advised to upgrade to Apache InLong’s 1.6.0 or cherry-pick [1] to solve it.

https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html

[1] https://github.com/apache/inlong/issues/7529 https://github.com/apache/inlong/issues/7529

Affected configurations

Nvd

Vulners

Node

apacheinlongMatch1.4.0

apacheinlongMatch1.5.0

VendorProductVersionCPE
apacheinlong1.4.0cpe:2.3:a:apache:inlong:1.4.0:*:*:*:*:*:*:*
apacheinlong1.5.0cpe:2.3:a:apache:inlong:1.5.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	inlong	1.4.0	cpe:2.3:a:apache:inlong:1.4.0:::::::*
apache	inlong	1.5.0	cpe:2.3:a:apache:inlong:1.5.0:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache InLong",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.5.0",
        "status": "affected",
        "version": "1.4.0",
        "versionType": "semver"
      }
    ]
  }
]