OpenCVE

Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9331

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Inlong

Configuration 1 [-]

cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/01/03/2
https://lists.apache.org/thread/g0yjmtjqvp8bnf1j0tdsk0nhfozjdjno

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-01-03T09:36:24.189Z

Updated: 2024-09-06T14:55:41.326Z

Reserved: 2023-12-26T02:06:28.399Z

Link: CVE-2023-51785

Vulnrichment

Updated: 2024-08-02T22:48:11.201Z

NVD

Status : Modified

Published: 2024-01-03T10:15:09.130

Modified: 2024-11-21T08:38:48.150

Link: CVE-2023-51785

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-51785", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-12-26T02:06:28.399Z", "datePublished": "2024-01-03T09:36:24.189Z", "dateUpdated": "2024-09-06T14:55:41.326Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache InLong", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.9.0", "status": "affected", "version": "1.7.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "X1r0z"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.<p>This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. <span style=\"background-color: var(--wht);\">Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it.</span></p><p><span style=\"background-color: rgb(255, 255, 255);\">[1] <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/9331\">https://github.com/apache/inlong/pull/9331</a></span></p>\n\n<p></p>"}], "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers\u00a0can make a arbitrary file read attack using mysql driver.\u00a0Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it.\n\n[1]\u00a0 https://github.com/apache/inlong/pull/9331 \n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-01-03T09:36:24.189Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/g0yjmtjqvp8bnf1j0tdsk0nhfozjdjno"}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/03/2"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache InLong: Arbitrary File Read Vulnerability in Apache InLong Manager", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:48:11.201Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/g0yjmtjqvp8bnf1j0tdsk0nhfozjdjno"}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/03/2", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-06T14:54:34.501219Z", "id": "CVE-2023-51785", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T14:55:41.326Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/g0yjmtjqvp8bnf1j0tdsk0nhfozjdjno", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/03/2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:48:11.201Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-51785", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-06T14:54:34.501219Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T14:55:03.754Z"}}], "cna": {"title": "Apache InLong: Arbitrary File Read Vulnerability in Apache InLong Manager", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "X1r0z"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache InLong", "versions": [{"status": "affected", "version": "1.7.0", "versionType": "semver", "lessThanOrEqual": "1.9.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/g0yjmtjqvp8bnf1j0tdsk0nhfozjdjno", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/03/2"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers\u00a0can make a arbitrary file read attack using mysql driver.\u00a0Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it.\n\n[1]\u00a0 https://github.com/apache/inlong/pull/9331 \n\n", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.<p>This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. <span style=\"background-color: var(--wht);\">Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it.</span></p><p><span style=\"background-color: rgb(255, 255, 255);\">[1] <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/9331\">https://github.com/apache/inlong/pull/9331</a></span></p>\n\n<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-01-03T09:36:24.189Z"}}}, "cveMetadata": {"cveId": "CVE-2023-51785", "state": "PUBLISHED", "dateUpdated": "2024-09-06T14:55:41.326Z", "dateReserved": "2023-12-26T02:06:28.399Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-01-03T09:36:24.189Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*", "matchCriteriaId": "92169308-15D8-4DE5-B2BF-7AC7A4D5D72D", "versionEndIncluding": "1.9.0", "versionStartIncluding": "1.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers\u00a0can make a arbitrary file read attack using mysql driver.\u00a0Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it.\n\n[1]\u00a0 https://github.com/apache/inlong/pull/9331 \n\n"}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Apache InLong. Este problema afecta a Apache InLong: desde la versi\u00f3n 1.7.0 hasta la 1.9.0, los atacantes pueden realizar un ataque de lectura de archivos arbitrario utilizando el controlador mysql. Se recomienda a los usuarios actualizar a Apache InLong 1.10.0 o seleccionar [1] para resolverlo. [1] https://github.com/apache/inlong/pull/9331"}], "id": "CVE-2023-51785", "lastModified": "2024-11-21T08:38:48.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-01-03T10:15:09.130", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/01/03/2"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/g0yjmtjqvp8bnf1j0tdsk0nhfozjdjno"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/01/03/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/g0yjmtjqvp8bnf1j0tdsk0nhfozjdjno"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}