CRITICAL🇵🇱 Wersja polska

CVE-2024-36268

CVSS 9.8v3.1pub. 2024-08-02upd. 2024-11-21

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/10251

🤖 AI Analysis
How it works

The vulnerability is caused by improper control of code generation (CWE-94 — Improper Control of Generation of Code), which enables injection of malicious code executed by the server. The vulnerability is remotely accessible over the network without requiring an account or user interaction. The attack does not require special prerequisites (low complexity), making it easy to execute.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely on the server, which may lead to complete system compromise, data breach, and violation of service integrity and availability.

Mitigation & patch

Apache InLong should be updated to version 1.13.0. Alternatively, it is possible to selectively apply a patch (cherry-pick) from the GitHub repository: https://github.com/apache/inlong/pull/10251.

Who is affected

Apache InLong in versions 1.10.0 to 1.12.0 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Inlong

    APP
    Apache
    1.10.0 – 1.13.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-27531CRITICAL9.8PL ✓ten sam produkt

Apache InLong: deserializacja danych — odczyt dowolnych plików

CVE-2025-27528CRITICAL9.1PL ✓ten sam produkt

Niebezpieczna deserializacja w Apache InLong umożliwia odczyt plików

CVE-2024-26579CRITICAL9.8PL ✓ten sam produkt

Deserializacja niezaufanych danych w Apache InLong — ominięcie zabezpieczeń

CVE-2024-26580CRITICAL9.1PL ✓ten sam produkt

Apache InLong — deserializacja danych umożliwiająca odczyt dowolnych plików

CVE-2023-51784CRITICAL9.8PL ✓ten sam produkt

Apache InLong — Code Injection umożliwiający zdalne wykonanie kodu (RCE)