oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-35088: Apache InLong: SQL injection in audit endpoint

From: Charles Zhang <dockerzhang () apache org>
Date: Tue, 25 Jul 2023 02:33:14 +0000
Severity: moderate

Affected versions:

- Apache InLong 1.4.0 through 1.7.0

Description:

Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software 
Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. 
In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query 
statement, which may lead to SQL injection attacks.
Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it.

[1]  https://github.com/apache/inlong/pull/8198

References:

https://inlong.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-35088
Previous By Date Next
Previous By Thread Next

Current thread: