Apache InLong security advisories
Security information for Apache InLong
Reporting
Do you want disclose a potential security issue for Apache InLong? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
An arbitrary file read vulnerability for JDBC
CVE-2025-27531 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-28T12:24:23.760Z
Affected
- Apache InLong from 1.13.0 before 2.1.0
Description
Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.13.0 before 2.1.0,
this issue would allow an authenticated attacker to read arbitrary files by double writing the param.
Users are recommended to upgrade to version 2.1.0, which fixes the issue.
References
Credits
- Ming (finder)
JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read
CVE-2025-27528 [CVE] [CVE json] [OSV json]
Last updated: 2025-05-28T08:12:25.901Z
Affected
- Apache InLong from 1.13.0 through 2.1.0
Description
Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.13.0 through 2.1.0.
This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong’s 2.2.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/11747
References
- https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj
- https://github.com/apache/inlong/pull/11747
Credits
- yulat (finder)
- m4x (finder)
- h3h3qaq (finder)
JDBC Vulnerability For URLEncode and backspace bypass
CVE-2025-27526 [CVE] [CVE json] [OSV json]
Last updated: 2025-05-28T08:07:33.686Z
Affected
- Apache InLong from 1.13 through 2.1.0
Description
Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability which can lead to JDBC Vulnerability URLEncdoe and backspace bypass. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/11747
References
- https://lists.apache.org/thread/4t4sqscm7xdqn883dyjy40qk6ncf26xf
- https://github.com/apache/inlong/pull/11747
Credits
- yulate (finder)
- m4x (finder)
- h3h3qaq (finder)
JDBC Vulnerability during verification processing
CVE-2025-27522 [CVE] [CVE json] [OSV json]
Last updated: 2025-05-28T08:06:02.351Z
Affected
- Apache InLong from 1.13.0 through 2.1.0
Description
Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/11732
References
- https://lists.apache.org/thread/s4dnmq3gwcjocxf85qk190knlzd26jby
- https://github.com/apache/inlong/pull/11732
Credits
- yulate (finder)
- m4x (finder)
Remote Code Execution vulnerability
CVE-2024-36268 [CVE] [CVE json] [OSV json]
Last updated: 2024-08-02T09:44:23.542Z
Affected
- Apache InLong TubeMQ Client from 1.10.0 through 1.12.0
Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/10251
References
Credits
- X1r0z (finder)
Logged-in user could exploit an arbitrary file read vulnerability
CVE-2024-26580 [CVE] [CVE json] [OSV json]
Last updated: 2024-08-02T09:40:25.011Z
Affected
- Apache InLong from 1.4.0 through 1.10.0
Description
Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can
use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong’s 1.11.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/9673
References
Credits
- an4er (finder)
Apache Inlong JDBC Vulnerability
CVE-2024-26579 [CVE] [CVE json] [OSV json]
Last updated: 2024-05-08T14:57:16.261Z
Affected
- Apache InLong from 1.7.0 through 1.11
Description
Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.7.0 through 1.11.0,
the attackers can bypass using malicious parameters.
Users are advised to upgrade to Apache InLong’s 1.12.0 or cherry-pick [1], [2] to solve it.
[1] https://github.com/apache/inlong/pull/9694
[2] https://github.com/apache/inlong/pull/9707
References
Credits
- L0ne1y (finder)
- Ming (finder)
Arbitrary File Read Vulnerability in Apache InLong Manager
CVE-2023-51785 [CVE] [CVE json] [OSV json]
Last updated: 2024-01-03T09:36:21.640Z
Affected
- Apache InLong from 1.7.0 through 1.9.0
Description
Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong’s 1.10.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/9331
References
Credits
- X1r0z (finder)
Remote Code Execution vulnerability in Apache InLong Manager
CVE-2023-51784 [CVE] [CVE json] [OSV json]
Last updated: 2024-01-03T09:39:13.790Z
Affected
- Apache InLong from 1.5.0 through 1.9.0
Description
Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong’s 1.10.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/9329
References
Credits
- X1r0z (finder)
Apache inlong has an Arbitrary File Read Vulnerability
CVE-2023-46227 [CVE] [CVE json] [OSV json]
Last updated: 2023-10-19T09:40:37.360Z
Affected
- Apache InLong from 1.4.0 through 1.8.0
Description
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can use \t to bypass. Users are advised to upgrade to Apache InLong’s 1.9.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/8814
References
Credits
- Snakinya (finder)
- s3gundo (finder)
Jdbc Connection Security Bypass in InLong
CVE-2023-43668 [CVE] [CVE json] [OSV json]
Last updated: 2023-11-14T09:51:43.493Z
Affected
- Apache InLong from 1.4.0 through 1.8.0
Description
Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.8.0,
some sensitive params checks will be bypassed, like “autoDeserizalize”,"allowLoadLocalInfile"….
.
Users are advised to upgrade to Apache InLong’s 1.9.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/8604
References
Credits
- nbxiglk (finder)
Log Injection in Global functions
CVE-2023-43667 [CVE] [CVE json] [OSV json]
Last updated: 2024-09-27T11:45:32.709Z
Affected
- Apache InLong from 1.4.0 through 1.8.0
Description
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false log records, making it harder to audit and trace malicious activities. Users are advised to upgrade to Apache InLong’s 1.9.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/8628
References
Credits
- Jayway (finder)
General user Unauthorized access User Management
CVE-2023-43666 [CVE] [CVE json] [OSV json]
Last updated: 2023-10-16T01:54:42.830Z
Affected
- Apache InLong from 1.4.0 through 1.8.0
Description
Insufficient Verification of Data Authenticity vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.8.0,
General user can view all user data like Admin account.
Users are advised to upgrade to Apache InLong’s 1.9.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/8623
References
SQL injection in audit endpoint
CVE-2023-35088 [CVE] [CVE json] [OSV json]
Last updated: 2023-07-25T07:10:17.507Z
Affected
- Apache InLong from 1.4.0 through 1.7.0
Description
Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’) vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.7.0. In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong’s 1.8.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/8198
References
JDBC URL bypassing by allowLoadLocalInfileInPath param
CVE-2023-34434 [CVE] [CVE json] [OSV json]
Last updated: 2023-07-25T07:09:55.864Z
Affected
- Apache InLong from 1.4.0 through 1.7.0
Description
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.7.0.
The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong’s 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130.
References
Credits
- sw0rd1ight and 4ra1n of Chaitin Tech (finder)
General user can delete and update process
CVE-2023-34189 [CVE] [CVE json] [OSV json]
Last updated: 2023-07-25T07:08:51.094Z
Affected
- Apache InLong from 1.4.0 through 1.7.0
Description
Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.7.0. The attacker could use general users to delete and update the process, which only the admin can operate occurrences.
Users are advised to upgrade to Apache InLong’s 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8109 to solve it.
References
IDOR make users can bind any cluster
CVE-2023-31454 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T13:22:59.589Z
Affected
- Apache InLong from 1.2.0 through 1.6.0
Description
Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.2.0 through 1.6.0.
The attacker can bind any cluster, even if he is not the cluster owner. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7947 to solve it.
References
IDOR make users can delete others’ subscription
CVE-2023-31453 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T13:25:45.562Z
Affected
- Apache InLong from 1.2.0 through 1.6.0
Description
Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can delete others’ subscriptions, even if they are not the owner of the deleted subscription. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick [1] to solve it.
https://github.com/apache/inlong/pull/7949
References
Attackers can change the immutable name and type of nodes
CVE-2023-31206 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T13:58:15.628Z
Affected
- Apache InLong from 1.4.0 through 1.6.0
Description
Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/7891
References
Attackers can change the immutable name and type of cluster
CVE-2023-31103 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T15:13:26.771Z
Affected
- Apache InLong from 1.4.0 through 1.6.0
Description
Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.6.0.
Attackers can change the immutable name and type of cluster of InLong. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7891 to solve it.
References
Users who joined later can see the data of deleted users
CVE-2023-31101 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T15:18:30.325Z
Affected
- Apache InLong from 1.5.0 through 1.6.0
Description
Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.5.0 through 1.6.0. Users registered in InLong who joined later can see deleted users’ data. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 to solve it.
References
Credits
- lujie.ac.cn (finder)
Weak Password Implementation in InLong
CVE-2023-31098 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T15:31:51.278Z
Affected
- Apache InLong from 1.1.0 through 1.6.0
Description
Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.1.0 through 1.6.0.
When users change their password to a simple password (with any character or symbol), attackers can easily guess the user’s password and access the account.
Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805 to solve it.
References
Credits
- lujie.ac.cn (finder)
Insecure direct object references for inlong sources
CVE-2023-31066 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T15:35:37.675Z
Affected
- Apache InLong from 1.4.0 through 1.6.0
Description
Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.6.0. Different users in InLong could delete, edit, stop, and start others’ sources! Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7775 to solve it.
References
Credits
- lujie.ac.cn (finder)
Insufficient Session Expiration in InLong
CVE-2023-31065 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T15:40:53.524Z
Affected
- Apache InLong from 1.4.0 through 1.6.0
Description
Insufficient Session Expiration vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.6.0.
An old session can be used by an attacker even after the user has been deleted or the password has been changed.
Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836, https://github.com/apache/inlong/pull/7884 to solve it.
References
Credits
- lujie.ac.cn (finder)
Insecurity direct object references cancelling applications
CVE-2023-31064 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T15:44:19.190Z
Affected
- Apache InLong from 1.2.0 through 1.6.0
Description
Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.2.0 through 1.6.0. the user in InLong could cancel an application that doesn’t belongs to it. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7799 to solve it.
References
Credits
- lujie.ac.cn (finder)
Privilege escalation vulnerability for InLong
CVE-2023-31062 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T15:47:33.464Z
Affected
- Apache InLong from 1.2.0 through 1.6.0
Description
Improper Privilege Management Vulnerabilities in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.2.0 through 1.6.0. When the attacker has access to a valid (but unprivileged) account, the exploit can be executed using Burp Suite by sending a login request and following it with a subsequent HTTP request using the returned cookie.
Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 to solve it.
References
Credits
- escape Wang (finder)
JDBC URL bypassing by adding blanks
CVE-2023-31058 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-22T15:48:32.710Z
Affected
- Apache InLong from 1.4.0 through 1.6.0
Description
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers would bypass the ‘autoDeserialize’ option filtering by adding blanks. Users are advised to upgrade to Apache InLong’s 1.7.0 or cherry-pick
https://github.com/apache/inlong/pull/7674 to solve it.
References
Credits
- sw0rd1ight of Caiji Sec Team (finder)
- 4ra1n of Chaitin Tech (finder)
- H Ming (finder)
SQL injection in apache inLong 1.5.0
CVE-2023-30465 [CVE] [CVE json] [OSV json]
Last updated: 2023-04-11T14:18:47.907Z
Affected
- Apache InLong from 1.4.0 through 1.5.0
Description
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the “orderType” parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the user with ID 1 from the “user” table, one character at a time. Users are advised to upgrade to Apache InLong’s 1.6.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/issues/7529
References
Credits
- escape Wang (finder)
JDBC Deserialization Vulnerability in InLong
CVE-2023-27296 [CVE] [CVE json] [OSV json]
Last updated: 2023-03-27T08:57:01.107Z
Affected
- Apache InLong from 1.1.0 through 1.5.0
Description
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.
It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability.
This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong’s latest version or cherry-pick [2] to solve it.
[1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html
[2] https://github.com/apache/inlong/pull/7422
References
Credits
- escape Wang (finder)
Jdbc Connection Security Bypass
CVE-2023-24997 [CVE] [CVE json] [OSV json]
Last updated: 2023-03-27T09:06:20.067Z
Affected
- Apache InLong from 1.1.0 through 1.5.0
Description
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong’s latest version or cherry-pick https://github.com/apache/inlong/pull/7223 to solve it.
References
Credits
- This issue was discovered by s3gundo of Hundsun Tech (finder)
Jdbc Connection causes arbitrary file reading in InLong
CVE-2023-24977 [CVE] [CVE json] [OSV json]
Last updated: 2023-02-01T09:09:46.267Z
Affected
- Apache InLong from 1.1.0 through 1.5.0
Description
Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong’s latest version or cherry-pick https://github.com/apache/inlong/pull/7214 to solve it.
References
Credits
- This issue was discovered by s3gundo of Hundsun Tech (finder)
Deserialization attack in Apache InLong prior to version 1.3.0 allows RCE via JDBC
CVE-2022-40955 [CVE] [CVE json] [OSV json]
Last updated: 2023-02-01T03:30:57.303Z
Affected
- Apache InLong from Apache InLong before 1.3.0
Description
In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server.
Users are advised to upgrade to Apache InLong 1.3.0 or newer.
References
Credits
- This issue was discovered by 4ra1n of Chaitin Tech.