Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-30465

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the "orderType" parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the user with ID 1 from the "user" table, one character at a time. Users are advised to upgrade to Apache InLong's 1.6.0 or cherry-pick [1] to solve it. https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [1] https://github.com/apache/inlong/issues/7529 https://github.com/apache/inlong/issues/7529

Published

2023-04-11T15:15:10.673

Last Modified

2025-02-13T17:16:24.653

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Primary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	inlong	1.4.0	Yes
Application	apache	inlong	1.5.0	Yes

References

http://www.openwall.com/lists/oss-security/2023/04/11/2 Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread/mrh4nr3jrlbj6nxkn4q8hddbfh1pnok0 Mailing List ([email protected])
http://www.openwall.com/lists/oss-security/2023/04/11/2 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/mrh4nr3jrlbj6nxkn4q8hddbfh1pnok0 Mailing List (af854a3a-2127-422b-91ae-364da2661108)