CVE-2023-27296

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

8.8HIGH

EPSS

0.6%

top 30.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Inlong Apache Inlong

Timeline

PublishedMar 27

Description

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserializa…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5apache_software_foundation/apache_inlong1.1.0 — 1.5.0

▶Mavenorg.apache.inlong:inlong-manager1.1.0 — 1.6.0

▶NVDapache/inlong1.1.0 — 1.5.0

Patches

Patch: lists.apache.org ↗Patch: lists.apache.org ↗

🔴Vulnerability Details

CVEList

Apache InLong: JDBC Deserialization Vulnerability in InLong↗2023-03-27

▶

OSV

Apache InLong vulnerable to JDBC Deserialization of Untrusted Data↗2023-03-27

▶

GHSA

Apache InLong vulnerable to JDBC Deserialization of Untrusted Data↗2023-03-27

▶