=====================================================================

                               CERT-Renater

                   Note d'Information No. 2024/VULN010
_____________________________________________________________________

DATE                : 04/01/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache InLong versions
                                  1.7.0 through 1.9.0.

=====================================================================
https://lists.apache.org/thread/g0yjmtjqvp8bnf1j0tdsk0nhfozjdjno
https://lists.apache.org/thread/4nxbyl6mh5jgh0plk0qposbxwn6w9h8j
_____________________________________________________________________

CVE-2023-51785: Apache InLong: Arbitrary File Read Vulnerability in
Apache InLong Manager

Severity: important

Affected versions:

- Apache InLong 1.7.0 through 1.9.0

Description:

Deserialization of Untrusted Data vulnerability in Apache InLong.This
issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers
can make a arbitrary file read attack using mysql driver. Users are
advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to
solve it.

[1]  https://github.com/apache/inlong/pull/9331


Credit:

X1r0z (finder)


References:

https://www.cve.org/CVERecord?id=CVE-2023-51785

_____________________________________________________________________

CVE-2023-51784: Apache InLong: Remote Code Execution vulnerability
in Apache InLong Manager

Severity: important

Affected versions:

- Apache InLong 1.5.0 through 1.9.0

Description:

Improper Control of Generation of Code ('Code Injection')
vulnerability in Apache InLong.This issue affects Apache InLong:
from 1.5.0 through 1.9.0, which could lead to Remote Code Execution.
Users are advised to upgrade to Apache InLong's 1.10.0 or
cherry-pick [1] to solve it.

[1]  https://github.com/apache/inlong/pull/9329


Credit:

X1r0z (finder)


References:

https://www.cve.org/CVERecord?id=CVE-2023-51784



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================