Lucene search

GitHub Advisory DatabaseGHSA-R5PV-7G89-CXMC

HistoryJul 25, 2023 - 9:30 a.m.

SQL injection in audit endpoint

2023-07-2509:30:18

CWE-89

GitHub Advisory Database

github.com

sql injection

apache inlong

vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.016

Percentile

87.8%

JSON

Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’) vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.
In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks.
Users are advised to upgrade to Apache InLong’s 1.8.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/8198

Affected configurations

Vulners

Node

org.apache.inlongmanager-serviceRange1.4.0–1.8.0

VendorProductVersionCPE
org.apache.inlongmanager-service*cpe:2.3:a:org.apache.inlong:manager-service:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.inlong	manager-service	*	cpe:2.3:a:org.apache.inlong:manager-service::::::::

References

seclists.org/fulldisclosure/2023/Jul/43

www.openwall.com/lists/oss-security/2023/07/25/4

github.com/advisories/GHSA-r5pv-7g89-cxmc

github.com/apache/inlong/pull/8198

lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk

nvd.nist.gov/vuln/detail/CVE-2023-35088

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.016

Percentile

87.8%

JSON

Related for GHSA-R5PV-7G89-CXMC