CVE-2023-35088

Опубликовано: 25 июл. 2023

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/8198

Ссылки

http://seclists.org/fulldisclosure/2023/Jul/43
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/07/25/4
Mailing List
Third Party Advisory
https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk
Mailing List
Vendor Advisory
http://seclists.org/fulldisclosure/2023/Jul/43
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/07/25/4
Mailing List
Third Party Advisory
https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

Версия от 1.4.0 (включая) до 1.7.0 (включая)

EPSS

Процентиль: 66%

0.00513

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-89

Связанные уязвимости

GHSA-r5pv-7g89-cxmc