Apache InLong security advisories

Security information for Apache InLong

Reporting

Do you want disclose a potential security issue for Apache InLong? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

An arbitrary file read vulnerability for JDBC

CVE-2025-27531 [CVE] [CVE json] [OSV json]

Last updated: 2025-02-28T12:24:23.760Z

Affected

  • Apache InLong from 1.13.0 before 2.1.0

Description

Deserialization of Untrusted Data vulnerability in Apache InLong. 

This issue affects Apache InLong: from 1.13.0 before 2.1.0,

this issue would allow an authenticated attacker to read arbitrary files by double writing the param.

Users are recommended to upgrade to version 2.1.0, which fixes the issue.

References

Credits

  • Ming (finder)

JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read

CVE-2025-27528 [CVE] [CVE json] [OSV json]

Last updated: 2025-05-28T08:12:25.901Z

Affected

  • Apache InLong from 1.13.0 through 2.1.0

Description

Deserialization of Untrusted Data vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.13.0 through 2.1.0.

This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong’s 2.2.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/11747

References

Credits

  • yulat (finder)
  • m4x (finder)
  • h3h3qaq (finder)

JDBC Vulnerability For URLEncode and backspace bypass

CVE-2025-27526 [CVE] [CVE json] [OSV json]

Last updated: 2025-05-28T08:07:33.686Z

Affected

  • Apache InLong from 1.13 through 2.1.0

Description

Deserialization of Untrusted Data vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability which can lead to JDBC Vulnerability URLEncdoe and backspace bypass. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/11747

References

Credits

  • yulate (finder)
  • m4x (finder)
  • h3h3qaq (finder)

JDBC Vulnerability during verification processing

CVE-2025-27522 [CVE] [CVE json] [OSV json]

Last updated: 2025-05-28T08:06:02.351Z

Affected

  • Apache InLong from 1.13.0 through 2.1.0

Description

Deserialization of Untrusted Data vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it.

[1]

https://github.com/apache/inlong/pull/11732

References

Credits

  • yulate (finder)
  • m4x (finder)

Remote Code Execution vulnerability

CVE-2024-36268 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-02T09:44:23.542Z

Affected

  • Apache InLong TubeMQ Client from 1.10.0 through 1.12.0

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/10251

References

Credits

  • X1r0z (finder)

Logged-in user could exploit an arbitrary file read vulnerability

CVE-2024-26580 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-02T09:40:25.011Z

Affected

  • Apache InLong from 1.4.0 through 1.10.0

Description

Deserialization of Untrusted Data vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can

use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong’s 1.11.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/9673

References

Credits

  • an4er (finder)

Apache Inlong JDBC Vulnerability

CVE-2024-26579 [CVE] [CVE json] [OSV json]

Last updated: 2024-05-08T14:57:16.261Z

Affected

  • Apache InLong from 1.7.0 through 1.11

Description

Deserialization of Untrusted Data vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.7.0 through 1.11.0, 

the attackers can bypass using malicious parameters.

Users are advised to upgrade to Apache InLong’s 1.12.0 or cherry-pick [1], [2] to solve it.

[1] https://github.com/apache/inlong/pull/9694

[2] https://github.com/apache/inlong/pull/9707

References

Credits

  • L0ne1y (finder)
  • Ming (finder)

Arbitrary File Read Vulnerability in Apache InLong Manager

CVE-2023-51785 [CVE] [CVE json] [OSV json]

Last updated: 2024-01-03T09:36:21.640Z

Affected

  • Apache InLong from 1.7.0 through 1.9.0

Description

Deserialization of Untrusted Data vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong’s 1.10.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/9331

References

Credits

  • X1r0z (finder)

Remote Code Execution vulnerability in Apache InLong Manager

CVE-2023-51784 [CVE] [CVE json] [OSV json]

Last updated: 2024-01-03T09:39:13.790Z

Affected

  • Apache InLong from 1.5.0 through 1.9.0

Description

Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong’s 1.10.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/9329

References

Credits

  • X1r0z (finder)

Apache inlong has an Arbitrary File Read Vulnerability

CVE-2023-46227 [CVE] [CVE json] [OSV json]

Last updated: 2023-10-19T09:40:37.360Z

Affected

  • Apache InLong from 1.4.0 through 1.8.0

Description

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can use \t to bypass. Users are advised to upgrade to Apache InLong’s 1.9.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/8814

References

Credits

  • Snakinya (finder)
  • s3gundo (finder)

Jdbc Connection Security Bypass in InLong

CVE-2023-43668 [CVE] [CVE json] [OSV json]

Last updated: 2023-11-14T09:51:43.493Z

Affected

  • Apache InLong from 1.4.0 through 1.8.0

Description

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.8.0, 

some sensitive params checks will be bypassed, like “autoDeserizalize”,"allowLoadLocalInfile"….

.  

Users are advised to upgrade to Apache InLong’s 1.9.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/8604

References

Credits

  • nbxiglk (finder)

Log Injection in Global functions

CVE-2023-43667 [CVE] [CVE json] [OSV json]

Last updated: 2024-09-27T11:45:32.709Z

Affected

  • Apache InLong from 1.4.0 through 1.8.0

Description

Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false log records, making it harder to audit and trace malicious activities. Users are advised to upgrade to Apache InLong’s 1.9.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/8628

References

Credits

  • Jayway (finder)

General user Unauthorized access User Management

CVE-2023-43666 [CVE] [CVE json] [OSV json]

Last updated: 2023-10-16T01:54:42.830Z

Affected

  • Apache InLong from 1.4.0 through 1.8.0

Description

Insufficient Verification of Data Authenticity vulnerability in Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.8.0, 

General user can view all user data like Admin account.

Users are advised to upgrade to Apache InLong’s 1.9.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/8623

References

SQL injection in audit endpoint

CVE-2023-35088 [CVE] [CVE json] [OSV json]

Last updated: 2023-07-25T07:10:17.507Z

Affected

  • Apache InLong from 1.4.0 through 1.7.0

Description

Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’) vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.7.0.  In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong’s 1.8.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/8198


References

JDBC URL bypassing by allowLoadLocalInfileInPath param

CVE-2023-34434 [CVE] [CVE json] [OSV json]

Last updated: 2023-07-25T07:09:55.864Z

Affected

  • Apache InLong from 1.4.0 through 1.7.0

Description

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.7.0. 

The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong’s 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130.

References

Credits

  • sw0rd1ight and 4ra1n of Chaitin Tech (finder)

General user can delete and update process

CVE-2023-34189 [CVE] [CVE json] [OSV json]

Last updated: 2023-07-25T07:08:51.094Z

Affected

  • Apache InLong from 1.4.0 through 1.7.0

Description

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could use general users to delete and update the process, which only the admin can operate occurrences. 

Users are advised to upgrade to Apache InLong’s 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8109 to solve it.

References

IDOR make users can bind any cluster

CVE-2023-31454 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T13:22:59.589Z

Affected

  • Apache InLong from 1.2.0 through 1.6.0

Description

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.2.0 through 1.6.0. 

The attacker can bind any cluster, even if he is not the cluster owner. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7947 to solve it.

References

IDOR make users can delete others’ subscription

CVE-2023-31453 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T13:25:45.562Z

Affected

  • Apache InLong from 1.2.0 through 1.6.0

Description

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others’ subscriptions, even if they are not the owner of the deleted subscriptionUsers are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick [1] to solve it.

[1]

https://github.com/apache/inlong/pull/7949

References

Attackers can change the immutable name and type of nodes

CVE-2023-31206 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T13:58:15.628Z

Affected

  • Apache InLong from 1.4.0 through 1.6.0

Description

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/7891

References

Attackers can change the immutable name and type of cluster

CVE-2023-31103 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T15:13:26.771Z

Affected

  • Apache InLong from 1.4.0 through 1.6.0

Description

Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.6.0.  Attackers can change the immutable name and type of cluster of InLong. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7891 to solve it.

References

Users who joined later can see the data of deleted users

CVE-2023-31101 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T15:18:30.325Z

Affected

  • Apache InLong from 1.5.0 through 1.6.0

Description

Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.5.0 through 1.6.0. Users registered in InLong who joined later can see deleted users’ data. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 to solve it.

References

Credits

  • lujie.ac.cn (finder)

Weak Password Implementation in InLong

CVE-2023-31098 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T15:31:51.278Z

Affected

  • Apache InLong from 1.1.0 through 1.6.0

Description

Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.1.0 through 1.6.0. 

When users change their password to a simple password (with any character or symbol), attackers can easily guess the user’s password and access the account.

Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 to solve it.

References

Credits

  • lujie.ac.cn (finder)

Insecure direct object references for inlong sources

CVE-2023-31066 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T15:35:37.675Z

Affected

  • Apache InLong from 1.4.0 through 1.6.0

Description

Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.6.0. Different users in InLong could delete, edit, stop, and start others’ sources! Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7775 to solve it.

References

Credits

  • lujie.ac.cn (finder)

Insufficient Session Expiration in InLong

CVE-2023-31065 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T15:40:53.524Z

Affected

  • Apache InLong from 1.4.0 through 1.6.0

Description

Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.6.0. 

An old session can be used by an attacker even after the user has been deleted or the password has been changed.

Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836, https://github.com/apache/inlong/pull/7884 to solve it.


References

Credits

  • lujie.ac.cn (finder)

Insecurity direct object references cancelling applications

CVE-2023-31064 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T15:44:19.190Z

Affected

  • Apache InLong from 1.2.0 through 1.6.0

Description

Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.2.0 through 1.6.0. the user in InLong could cancel an application that doesn’t belongs to it. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7799 to solve it.

References

Credits

  • lujie.ac.cn (finder)

Privilege escalation vulnerability for InLong

CVE-2023-31062 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T15:47:33.464Z

Affected

  • Apache InLong from 1.2.0 through 1.6.0

Description

Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.2.0 through 1.6.0.  When the attacker has access to a valid (but unprivileged) account, the exploit can be executed using Burp Suite by sending a login request and following it with a subsequent HTTP request using the returned cookie.

Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 to solve it.

References

Credits

  • escape Wang (finder)

JDBC URL bypassing by adding blanks

CVE-2023-31058 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-22T15:48:32.710Z

Affected

  • Apache InLong from 1.4.0 through 1.6.0

Description

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers would bypass the ‘autoDeserialize’ option filtering by adding blanks. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick 

https://github.com/apache/inlong/pull/7674 to solve it.

References

Credits

  • sw0rd1ight of Caiji Sec Team (finder)
  • 4ra1n of Chaitin Tech (finder)
  • H Ming (finder)

SQL injection in apache inLong 1.5.0

CVE-2023-30465 [CVE] [CVE json] [OSV json]

Last updated: 2023-04-11T14:18:47.907Z

Affected

  • Apache InLong from 1.4.0 through 1.5.0

Description

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the “orderType” parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the   user with ID 1 from the “user” table, one character at a time.  Users are advised to upgrade to Apache InLong’s 1.6.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/issues/7529

References

Credits

  • escape Wang (finder)

JDBC Deserialization Vulnerability in InLong

CVE-2023-27296 [CVE] [CVE json] [OSV json]

Last updated: 2023-03-27T08:57:01.107Z

Affected

  • Apache InLong from 1.1.0 through 1.5.0

Description

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.

It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability.

This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong’s latest version or cherry-pick [2] to solve it.

[1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html

[2] https://github.com/apache/inlong/pull/7422



References

Credits

  • escape Wang (finder)

Jdbc Connection Security Bypass

CVE-2023-24997 [CVE] [CVE json] [OSV json]

Last updated: 2023-03-27T09:06:20.067Z

Affected

  • Apache InLong from 1.1.0 through 1.5.0

Description

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong’s latest version or cherry-pick https://github.com/apache/inlong/pull/7223 to solve it.

References

Credits

  • This issue was discovered by s3gundo of Hundsun Tech (finder)

Jdbc Connection causes arbitrary file reading in InLong

CVE-2023-24977 [CVE] [CVE json] [OSV json]

Last updated: 2023-02-01T09:09:46.267Z

Affected

  • Apache InLong from 1.1.0 through 1.5.0

Description

Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.

This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong’s latest version or cherry-pick https://github.com/apache/inlong/pull/7214 to solve it.

References

Credits

  • This issue was discovered by s3gundo of Hundsun Tech (finder)

Deserialization attack in Apache InLong prior to version 1.3.0 allows RCE via JDBC

CVE-2022-40955 [CVE] [CVE json] [OSV json]

Last updated: 2023-02-01T03:30:57.303Z

Affected

  • Apache InLong from Apache InLong before 1.3.0

Description

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server.

Users are advised to upgrade to Apache InLong 1.3.0 or newer.

References

Credits

  • This issue was discovered by 4ra1n of Chaitin Tech.