====================================================================

                               CERT-Renater

                    Note d'Information No. 2024/VULN353
_____________________________________________________________________

DATE                : 04/09/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Apache running Apache InLong versions prior
                                    to 1.13.0.

=====================================================================
https://lists.apache.org/thread/1w1yp1bg5sjvn46dszkf00tz1vfs0frc
_____________________________________________________________________

CVE-2024-36268: Apache InLong TubeMQ Client: Remote Code Execution
vulnerability

Severity: important

Affected versions:

- Apache InLong TubeMQ Client 1.10.0 through 1.12.0

Description:

Improper Control of Generation of Code ('Code Injection')
vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.10.0 through 1.12.0, which
could lead to Remote Code Execution. Users are advised to upgrade
to Apache InLong's 1.13.0 or cherry-pick [1] to solve it.

[1]  https://github.com/apache/inlong/pull/10251

Credit:

X1r0z  (finder)

References:

https://github.com/apache/inlong/pull/10251
https://inlong.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-36268



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================