Apache InLong SQL Injection vulnerability

GHSA-cqr6-3x3f-9wr3 · CVE-2023-30465

Published Jul 6, 2023 · Modified Feb 13, 2025

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the "orderType" parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the user with ID 1 from the "user" table, one character at a time. Users are advised to upgrade to Apache InLong's 1.6.0 or cherry-pick PR #7530 to solve it.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-30465
WEB https://github.com/apache/inlong/issues/7529
WEB https://github.com/apache/inlong/pull/7530
PACKAGE https://github.com/apache/inlong
WEB https://inlong.apache.org/zh-CN/download/release-1.6.0
WEB https://lists.apache.org/thread/mrh4nr3jrlbj6nxkn4q8hddbfh1pnok0
WEB http://www.openwall.com/lists/oss-security/2023/04/11/2

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes