Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.11.0, the attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2] https://github.com/apache/inlong/pull/9707
The vulnerability results from improper handling of deserialization of input data in Apache InLong. A remote attacker, without authentication and without user interaction, can submit malicious parameters that bypass protection mechanisms against unsafe deserialization. Processing such data by the application may lead to unintended code execution or manipulation of system state.
Successful exploitation of this vulnerability allows an attacker to gain complete control over the application — including unauthorized access to data (C:H), modification of data or configuration (I:H), and disruption of service availability (A:H).
Apache InLong should be updated to version 1.12.0 or security patches indicated by the vendor in the following pull requests should be applied: https://github.com/apache/inlong/pull/9694 and https://github.com/apache/inlong/pull/9707.
Apache InLong in versions 1.7.0 through 1.11.0 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Inlong
APPApache1.7.0 – 1.12.0 (bez)
Related vulnerabilities
Apache InLong: deserializacja danych — odczyt dowolnych plików
Niebezpieczna deserializacja w Apache InLong umożliwia odczyt plików
Apache InLong — Code Injection umożliwiający zdalne wykonanie kodu (RCE)
Apache InLong — deserializacja danych umożliwiająca odczyt dowolnych plików
Apache InLong — Code Injection umożliwiający zdalne wykonanie kodu (RCE)