Lucene search

ApacheCVE-2024-26580

HistoryMar 06, 2024 - 12:15 p.m.

CVE-2024-26580

2024-03-0612:15:45

CWE-502

apache

web.nvd.nist.gov

cve

2024

26580

apache

inlong

vulnerability

deserialization

file read

upgrade

nvd

security

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.5

Confidence

Low

EPSS

Percentile

9.0%

JSON

Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can

use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong’s 1.11.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/9673

Affected configurations

Vulners

Vulnrichment

Node

apacheinlongRange≤1.10.0

VendorProductVersionCPE
apacheinlong*cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	inlong	*	cpe:2.3:a:apache:inlong::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache InLong",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.10.0",
        "status": "affected",
        "version": "1.4.0",
        "versionType": "semver"
      }
    ]
  }
]