CRITICAL🇵🇱 Wersja polska

CVE-2025-27531

CVSS 9.8v3.1pub. 2025-06-06upd. 2025-06-23

Deserialization of Untrusted Data vulnerability in Apache InLong.  This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue.

🤖 AI Analysis
How it works

The vulnerability results from improper deserialization of untrusted data (CWE-502) in Apache InLong. An attacker with access to an application account can exploit the double parameter writing technique to bypass input data validation mechanisms. As a result, the vulnerable processing path deserializes crafted data, allowing arbitrary file reads accessible to the server process.

Impact

An authenticated attacker can read arbitrary files from the server's file system, which may lead to disclosure of sensitive data, cryptographic keys, passwords, or other sensitive configuration information.

Mitigation & patch

Apache InLong should be updated to version 2.1.0, which contains a patch eliminating the described vulnerability.

Who is affected

Apache InLong in versions from 1.13.0 to 2.0.x (before version 2.1.0)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Inlong

    APP
    Apache
    1.13.0 – 2.1.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Deserialization
CWE
References

Related vulnerabilities

CVE-2025-27528CRITICAL9.1PL ✓ten sam produkt

Niebezpieczna deserializacja w Apache InLong umożliwia odczyt plików

CVE-2024-36268CRITICAL9.8PL ✓ten sam produkt

Apache InLong — Code Injection umożliwiający zdalne wykonanie kodu (RCE)

CVE-2024-26579CRITICAL9.8PL ✓ten sam produkt

Deserializacja niezaufanych danych w Apache InLong — ominięcie zabezpieczeń

CVE-2024-26580CRITICAL9.1PL ✓ten sam produkt

Apache InLong — deserializacja danych umożliwiająca odczyt dowolnych plików

CVE-2023-51784CRITICAL9.8PL ✓ten sam produkt

Apache InLong — Code Injection umożliwiający zdalne wykonanie kodu (RCE)