OpenCVE

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/10251

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Inlong

Configuration 1 [-]

cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/08/02/5
https://lists.apache.org/thread/1w1yp1bg5sjvn46dszkf00tz1vfs0frc

History

Tue, 27 Aug 2024 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache inlong
CPEs		cpe:2.3:a:apache:inlong::::::::
Vendors & Products		Apache Apache inlong
Metrics	cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 22 Aug 2024 21:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}`

Thu, 22 Aug 2024 20:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2024/08/02/5

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-08-02T09:44:26.237Z

Updated: 2024-08-22T19:40:19.635Z

Reserved: 2024-05-23T07:42:29.646Z

Link: CVE-2024-36268

Vulnrichment

Updated: 2024-08-02T16:03:26.645Z

NVD

Status : Modified

Published: 2024-08-02T10:16:00.367

Modified: 2024-11-21T09:21:57.987

Link: CVE-2024-36268

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-36268", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-05-23T07:42:29.646Z", "datePublished": "2024-08-02T09:44:26.237Z", "dateUpdated": "2024-08-22T19:40:19.635Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.inlong:tubemq-client", "product": "Apache InLong TubeMQ Client", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.12.0", "status": "affected", "version": "1.10.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "X1r0z"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.</p><p>This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. <span style=\"background-color: var(--wht);\">Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it.</span></p>\n\n<p><span style=\"background-color: rgb(255, 255, 255);\">[1] <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/10251\">https://github.com/apache/inlong/pull/10251</a></span></p>\n\n<p></p>"}], "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.\n\nThis issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it.\n\n[1]\u00a0 https://github.com/apache/inlong/pull/10251"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-08-02T09:44:26.237Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/1w1yp1bg5sjvn46dszkf00tz1vfs0frc"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache InLong TubeMQ Client: Remote Code Execution vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/08/02/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:03:26.645Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "affected": [{"vendor": "apache_software_foundation", "product": "apache_inlong", "cpes": ["cpe:2.3:a:apache_software_foundation:apache_inlong:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.10.0", "status": "affected", "lessThanOrEqual": "1.12.0", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-22T19:33:37.102859Z", "id": "CVE-2024-36268", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T19:40:19.635Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/08/02/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:03:26.645Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-36268", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-22T19:33:37.102859Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache_software_foundation:apache_inlong:*:*:*:*:*:*:*:*"], "vendor": "apache_software_foundation", "product": "apache_inlong", "versions": [{"status": "affected", "version": "1.10.0", "versionType": "semver", "lessThanOrEqual": "1.12.0"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-22T19:34:54.347Z"}}], "cna": {"title": "Apache InLong TubeMQ Client: Remote Code Execution vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "X1r0z"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache InLong TubeMQ Client", "versions": [{"status": "affected", "version": "1.10.0", "versionType": "semver", "lessThanOrEqual": "1.12.0"}], "packageName": "org.apache.inlong:tubemq-client", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/1w1yp1bg5sjvn46dszkf00tz1vfs0frc", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.\n\nThis issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it.\n\n[1]\u00a0 https://github.com/apache/inlong/pull/10251", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.</p><p>This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. <span style=\"background-color: var(--wht);\">Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it.</span></p>\n\n<p><span style=\"background-color: rgb(255, 255, 255);\">[1] <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/10251\">https://github.com/apache/inlong/pull/10251</a></span></p>\n\n<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-08-02T09:44:26.237Z"}}}, "cveMetadata": {"cveId": "CVE-2024-36268", "state": "PUBLISHED", "dateUpdated": "2024-08-22T19:40:19.635Z", "dateReserved": "2024-05-23T07:42:29.646Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-08-02T09:44:26.237Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*", "matchCriteriaId": "60AA3A03-AF35-41BE-8671-5C75CC7C82A2", "versionEndExcluding": "1.13.0", "versionStartIncluding": "1.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.\n\nThis issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it.\n\n[1]\u00a0 https://github.com/apache/inlong/pull/10251"}, {"lang": "es", "value": "Vulnerabilidad de control inadecuado de la generaci\u00f3n de c\u00f3digo ('inyecci\u00f3n de c\u00f3digo') en Apache InLong. Este problema afecta a Apache InLong: desde la versi\u00f3n 1.10.0 hasta la 1.12.0, lo que podr\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo. Se recomienda a los usuarios que actualicen a la versi\u00f3n 1.13.0 de Apache InLong o seleccionen la que m\u00e1s les convenga [1] para resolverlo. [1] https://github.com/apache/inlong/pull/10251"}], "id": "CVE-2024-36268", "lastModified": "2024-11-21T09:21:57.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-08-02T10:16:00.367", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1w1yp1bg5sjvn46dszkf00tz1vfs0frc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/08/02/5"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}