Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue.
The vulnerability results from improper deserialization of untrusted data (CWE-502) in Apache InLong. An attacker with access to an application account can exploit the double parameter writing technique to bypass input data validation mechanisms. As a result, the vulnerable processing path deserializes crafted data, allowing arbitrary file reads accessible to the server process.
An authenticated attacker can read arbitrary files from the server's file system, which may lead to disclosure of sensitive data, cryptographic keys, passwords, or other sensitive configuration information.
Apache InLong should be updated to version 2.1.0, which contains a patch eliminating the described vulnerability.
Apache InLong in versions from 1.13.0 to 2.0.x (before version 2.1.0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Inlong
APPApache1.13.0 – 2.1.0 (bez)
Related vulnerabilities
Niebezpieczna deserializacja w Apache InLong umożliwia odczyt plików
Apache InLong — Code Injection umożliwiający zdalne wykonanie kodu (RCE)
Deserializacja niezaufanych danych w Apache InLong — ominięcie zabezpieczeń
Apache InLong — deserializacja danych umożliwiająca odczyt dowolnych plików
Apache InLong — Code Injection umożliwiający zdalne wykonanie kodu (RCE)