Description

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,  some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... .   Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/8604

Remediation

References

https://lists.apache.org/thread/16gtk7rpdm1rof075ro83fkrnhbzn5sh

Related Vulnerabilities

CVE-2019-10412 Vulnerability in maven package com.inedo.proget:inedo-proget

CVE-2023-31103 Vulnerability in maven package org.apache.inlong:manager-web

CVE-2020-11619 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2022-22979 Vulnerability in maven package org.springframework.cloud:spring-cloud-function-context

CVE-2023-29514 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

Severity

Critical

Classification

CWE-639 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory