Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9329
The vulnerability results from improper control of code generation. An attacker can provide specially crafted input data that will be incorrectly processed by the application and executed as code on the server side. The attack requires no authentication or user interaction, which significantly lowers the threshold for carrying it out.
An attacker can gain full control over the system running Apache InLong — including the ability to read, modify or delete data, as well as perform lateral movement within the internal network. The vulnerability leads to a breach of confidentiality, integrity and availability of the system.
Apache InLong should be updated immediately to version 1.10.0. Alternatively, a patch available in the pull request can be applied: https://github.com/apache/inlong/pull/9329.
Apache InLong versions 1.5.0 to 1.9.0 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Inlong
APPApache1.5.0 – 1.10.0 (bez)
Related vulnerabilities
Apache InLong: deserializacja danych — odczyt dowolnych plików
Niebezpieczna deserializacja w Apache InLong umożliwia odczyt plików
Apache InLong — Code Injection umożliwiający zdalne wykonanie kodu (RCE)
Deserializacja niezaufanych danych w Apache InLong — ominięcie zabezpieczeń
Apache InLong — deserializacja danych umożliwiająca odczyt dowolnych plików