Apache Software Foundation Apache Inlong vulnerabilities

CVE-2025-27531 [CRITICAL] CWE-502 CVE-2025-27531: Deserialization of Untrusted Data vulnerability in Apache InLong.  This issue affects Apache InLong Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue.

CVE-2025-27528 [CRITICAL] CWE-502 CVE-2025-27528: Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https:/

CVE-2025-27522 [CRITICAL] CWE-502 Apache InLong: JDBC Vulnerability during verification processing Apache InLong: JDBC Vulnerability during verification processing Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11732

CVE-2025-27526 [MEDIUM] CWE-502 CVE-2025-27526: Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability which can lead to JDBC Vulnerability URLEncdoe and backspace bypass. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747

CVE-2024-26579 [CRITICAL] CWE-502 CVE-2024-26579: Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: f Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.11.0, the attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2] https://github.com/apac

CVE-2024-26580 [CRITICAL] CWE-502 CVE-2024-26580: Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: f Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673

CVE-2023-51784 [CRITICAL] CWE-94 CVE-2023-51784: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9329

CVE-2023-51785 [HIGH] CWE-502 CVE-2023-51785: Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: f Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9331

CVE-2023-46227 [HIGH] CWE-502 CVE-2023-46227: Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong. This Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can use \t to bypass. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8814

CVE-2023-43668 [CRITICAL] CWE-639 CVE-2023-43668: Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects A Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... . Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.

CVE-2023-43667 [HIGH] CWE-74 CVE-2023-43667: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') v Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false log records, making it harder to audit and trace malicious activities. Users are advised to upgrade to Apache InLong's 1

CVE-2023-43666 [MEDIUM] CWE-345 CVE-2023-43666: Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apa Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, General user can view all user data like Admin account. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8623

CVE-2023-35088 [CRITICAL] CWE-89 CVE-2023-35088: Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability i Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL in

CVE-2023-34434 [HIGH] CWE-502 CVE-2023-34434: Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This iss Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/

CVE-2023-34189 [MEDIUM] CWE-668 CVE-2023-34189: Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could use general users to delete and update the process, which only the admin can operate occurrences. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://gi

CVE-2023-31065 [CRITICAL] CWE-613 CVE-2023-31065: Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. An old session can be used by an attacker even after the user has been deleted or the password has been changed. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://githu

CVE-2023-31098 [CRITICAL] CWE-521 CVE-2023-31098: Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affe Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0. When users change their password to a simple password (with any character or symbol), attackers can easily guess the user's password and access the account. Users are advised to upgrade to Apache InLong

CVE-2023-31062 [CRITICAL] CWE-269 CVE-2023-31062: Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.This issue Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. When the attacker has access to a valid (but unprivileged) account, the exploit can be executed using Burp Suite by sending a login request and following it with a subsequent HTTP request using the r

CVE-2023-31066 [CRITICAL] CWE-552 CVE-2023-31066: Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apac Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Different users in InLong could delete, edit, stop, and start others' sources! Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlon

CVE-2023-31454 [HIGH] CWE-732 CVE-2023-31454: Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Ap Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can bind any cluster, even if he is not the cluster owner. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it.[1] https://github.com