[MAVEN:GHSA-PQ67-9JF9-HC3C] JDBC URL bypassing by allowLoadLocalInfileInPath param

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.

The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130 .

Package	Affected Version
pkg:maven/org.apache.inlong/manager-pojo	>= 1.4.0, < 1.8.0

Package	Fixed Version
pkg:maven/org.apache.inlong/manager-pojo	= 1.8.0

ID: MAVEN:GHSA-PQ67-9JF9-HC3C
Severity: high
URL: https://github.com/advisories/GHSA-pq67-9jf9-hc3c
Published: 2023-07-25T09:30:18
(14 months ago)
Modified: 2023-11-05T05:03:07
(10 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2023-34434
			https://lists.apache.org/thread/7f1o71w5r732cspltmtdydn01gllf4jo
			https://github.com/apache/inlong/pull/8130
			http://www.openwall.com/lists/oss-security/2023/07/25/3
			http://seclists.org/fulldisclosure/2023/Jul/43
			https://github.com/advisories/GHSA-pq67-9jf9-hc3c

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.inlong/manager-pojo	org.apache.inlong	manager-pojo	>= 1.4.0 < 1.8.0
Fixed	pkg:maven/org.apache.inlong/manager-pojo	org.apache.inlong	manager-pojo	= 1.8.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date