Description
Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8198
Remediation
References
http://seclists.org/fulldisclosure/2023/Jul/43
http://www.openwall.com/lists/oss-security/2023/07/25/4
https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk
Related Vulnerabilities
CVE-2022-47042 Vulnerability in maven package net.mingsoft:ms-mcms
CVE-2020-2322 Vulnerability in maven package io.jenkins.plugins:chaos-monkey
CVE-2022-0087 Vulnerability in npm package @keystone-6/auth
CVE-2020-36649 Vulnerability in maven package org.webjars.npm:papaparse
CVE-2019-16728 Vulnerability in maven package org.webjars.bower:dompurify