Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the "orderType" parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the   user with ID 1 from the "user" table, one character at a time.  Users are advised to upgrade to Apache InLong's 1.6.0 or cherry-pick [1] to solve it. https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [1] https://github.com/apache/inlong/issues/7529 https://github.com/apache/inlong/issues/7529

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/11/2

https://lists.apache.org/thread/mrh4nr3jrlbj6nxkn4q8hddbfh1pnok0

Related Vulnerabilities

CVE-2020-7727 Vulnerability in npm package gedi

CVE-2020-2117 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-githubnotify-step

CVE-2020-26217 Vulnerability in maven package org.jvnet.hudson:xstream

CVE-2022-35912 Vulnerability in maven package org.grails:grails-databinding

CVE-2020-8913 Vulnerability in maven package com.google.android.play:core

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory NVD-CWE-noinfo