Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/10251
The vulnerability is caused by improper control of code generation (CWE-94 — Improper Control of Generation of Code), which enables injection of malicious code executed by the server. The vulnerability is remotely accessible over the network without requiring an account or user interaction. The attack does not require special prerequisites (low complexity), making it easy to execute.
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code remotely on the server, which may lead to complete system compromise, data breach, and violation of service integrity and availability.
Apache InLong should be updated to version 1.13.0. Alternatively, it is possible to selectively apply a patch (cherry-pick) from the GitHub repository: https://github.com/apache/inlong/pull/10251.
Apache InLong in versions 1.10.0 to 1.12.0 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Inlong
APPApache1.10.0 – 1.13.0 (bez)
Related vulnerabilities
Apache InLong: deserializacja danych — odczyt dowolnych plików
Niebezpieczna deserializacja w Apache InLong umożliwia odczyt plików
Deserializacja niezaufanych danych w Apache InLong — ominięcie zabezpieczeń
Apache InLong — deserializacja danych umożliwiająca odczyt dowolnych plików
Apache InLong — Code Injection umożliwiający zdalne wykonanie kodu (RCE)