Lucene search

GitHub Advisory DatabaseGHSA-PQ67-9JF9-HC3C

HistoryJul 25, 2023 - 9:30 a.m.

JDBC URL bypassing by allowLoadLocalInfileInPath param

2023-07-2509:30:18

CWE-502

GitHub Advisory Database

github.com

jdbc

url bypass

apache inlong

deserialization vulnerability

untrusted data

arbitrary file reading

upgrade

security issue

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

73.7%

JSON

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.

The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong’s 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130 .

Affected configurations

Vulners

Node

org.apache.inlongmanager-pojoRange1.4.0–1.8.0

VendorProductVersionCPE
org.apache.inlongmanager-pojo*cpe:2.3:a:org.apache.inlong:manager-pojo:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.inlong	manager-pojo	*	cpe:2.3:a:org.apache.inlong:manager-pojo::::::::

References

seclists.org/fulldisclosure/2023/Jul/43

www.openwall.com/lists/oss-security/2023/07/25/3

github.com/advisories/GHSA-pq67-9jf9-hc3c

github.com/apache/inlong/pull/8130

lists.apache.org/thread/7f1o71w5r732cspltmtdydn01gllf4jo

nvd.nist.gov/vuln/detail/CVE-2023-34434

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

73.7%

JSON

Related for GHSA-PQ67-9JF9-HC3C