===================================================================== CERT-Renater Note d'Information No. 2023/VULN407 _____________________________________________________________________ DATE : 18/10/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache InLong versions prior to 1.9.0. ===================================================================== https://lists.apache.org/thread/16gtk7rpdm1rof075ro83fkrnhbzn5sh https://lists.apache.org/thread/spnb378g268p1f902fr9kqyph2k8n543 https://lists.apache.org/thread/scbgh3ty3xcxm3q33r2t9f42gwwo1why _____________________________________________________________________ CVE-2023-43668: Apache InLong: Jdbc Connection Security Bypass in InLong Severity: important Affected versions: - Apache InLong 1.4.0 through 1.8.0 Description: Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... . Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8604 Credit: nbxiglk (finder) References: https://inlong.apache.org https://www.cve.org/CVERecord?id=CVE-2023-43668 _____________________________________________________________________ CVE-2023-43667: Apache InLong: Log Injection in Global functions Severity: moderate Affected versions: - Apache InLong 1.4.0 through 1.8.0 Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false records, making it harder to audit and trace malicious activities. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8628 References: https://inlong.apache.org https://www.cve.org/CVERecord?id=CVE-2023-43667 _____________________________________________________________________ CVE-2023-43666: Apache InLong: General user Unauthorized access User Management Severity: important Affected versions: - Apache InLong 1.4.0 through 1.8.0 Description: Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, General user can view all user data like Admin account. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8623 References: https://inlong.apache.org https://www.cve.org/CVERecord?id=CVE-2023-43666 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================