OpenCVE

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130 .

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Apache	Inlong

Configuration 1 [-]

cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2023/Jul/43
http://www.openwall.com/lists/oss-security/2023/07/25/3
https://lists.apache.org/thread/7f1o71w5r732cspltmtdydn01gllf4jo

History

Wed, 02 Oct 2024 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-07-25T07:09:58.676Z

Updated: 2024-10-02T18:42:02.490Z

Reserved: 2023-06-06T11:15:53.221Z

Link: CVE-2023-34434

Vulnrichment

Updated: 2024-08-02T16:10:07.030Z

NVD

Status : Modified

Published: 2023-07-25T08:15:10.147

Modified: 2024-10-02T19:35:02.480

Link: CVE-2023-34434

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34434", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-06-06T11:15:53.221Z", "datePublished": "2023-07-25T07:09:58.676Z", "dateUpdated": "2024-10-02T18:42:02.490Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache InLong", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.7.0", "status": "affected", "version": "1.4.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "sw0rd1ight and 4ra1n of Chaitin Tech"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.<p>This issue affects Apache InLong: from 1.4.0 through 1.7.0. \n\nThe attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/8130\">https://github.com/apache/inlong/pull/8130</a>.\n\n</p>"}], "value": "Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.\u00a0\n\nThe attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130 .\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-07-25T07:09:58.676Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/7f1o71w5r732cspltmtdydn01gllf4jo"}, {"url": "http://seclists.org/fulldisclosure/2023/Jul/43"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/25/3"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache InLong: JDBC URL bypassing by allowLoadLocalInfileInPath param", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:07.030Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/7f1o71w5r732cspltmtdydn01gllf4jo"}, {"url": "http://seclists.org/fulldisclosure/2023/Jul/43", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/25/3", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "apache", "product": "inlong", "cpes": ["cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.4.0", "status": "affected", "lessThanOrEqual": "1.7.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-02T18:31:50.626067Z", "id": "CVE-2023-34434", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-02T18:42:02.490Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/7f1o71w5r732cspltmtdydn01gllf4jo", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2023/Jul/43", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/25/3", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:07.030Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-34434", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-02T18:31:50.626067Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "inlong", "versions": [{"status": "affected", "version": "1.4.0", "versionType": "custom", "lessThanOrEqual": "1.7.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-02T18:41:57.676Z"}}], "cna": {"title": "Apache InLong: JDBC URL bypassing by allowLoadLocalInfileInPath param", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "sw0rd1ight and 4ra1n of Chaitin Tech"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache InLong", "versions": [{"status": "affected", "version": "1.4.0", "versionType": "semver", "lessThanOrEqual": "1.7.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/7f1o71w5r732cspltmtdydn01gllf4jo", "tags": ["vendor-advisory"]}, {"url": "http://seclists.org/fulldisclosure/2023/Jul/43"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/25/3"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.\u00a0\n\nThe attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130 .\n\n", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.<p>This issue affects Apache InLong: from 1.4.0 through 1.7.0. \n\nThe attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/8130\">https://github.com/apache/inlong/pull/8130</a>.\n\n</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-07-25T07:09:58.676Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34434", "state": "PUBLISHED", "dateUpdated": "2024-10-02T18:42:02.490Z", "dateReserved": "2023-06-06T11:15:53.221Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-07-25T07:09:58.676Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*", "matchCriteriaId": "A758C808-F9C0-43D5-8061-DA3A69751D21", "versionEndIncluding": "1.7.0", "versionStartIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.\u00a0\n\nThe attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130 .\n\n"}], "id": "CVE-2023-34434", "lastModified": "2024-10-02T19:35:02.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-07-25T08:15:10.147", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2023/Jul/43"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/07/25/3"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/7f1o71w5r732cspltmtdydn01gllf4jo"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Primary"}]}