Severity: important
Description:
Improper Neutralization of Special Elements used in an SQL Command ('SQL
Injection') vulnerability in Apache Software Foundation Apache InLong.This
issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the
"orderType" parameter and the ordering of the returned content using an SQL
injection attack, an attacker can extract the username of the user with ID 1
from the "user" table, one character at a time. Users are advised to upgrade
to Apache InLong's 1.6.0 or cherry-pick [1] to solve it.
https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html
[1] https://github.com/apache/inlong/issues/7529
https://github.com/apache/inlong/issues/7529
Credit:
escape Wang (finder)
References:
https://inlong.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-30465
