Researchers have identified two vulnerabilities in Apache InLong that could lead to a Remote code execution and a file read issue.
Remote Code Execution vulnerability in Apache InLong Manager
the vulnerability tracked as CVE-2023-51874 Tagged with an ‘important‘ severity rating, is a Remote Code Execution (RCE) vulnerability in Apache InLong Manager. Stemming from an ‘Improper Control of Generation of Code’ (Code Injection), this flaw haunted versions 1.5.0 to 1.9.0. The vulnerability allowed attackers to execute arbitrary code remotely, posing a significant risk to the integrity and security of data managed by InLong. Users are strongly advised to upgrade to Apache InLong 1.10.0 or implement a cherry-pick solution to mitigate this threat.
Arbitrary File Read Vulnerability in Apache InLong Manager
The vulnerability tracked as CVE-2023-51785 unveils an Arbitrary File Read Vulnerability in Apache InLong Manager. This vulnerability, resulting from the Deserialization of Untrusted Data, affected versions from 1.7.0 through 1.9.0. In this scenario, attackers could exploit the MySQL driver to perform arbitrary file-read attacks, potentially gaining unauthorized access to sensitive data. Upgrading to Apache InLong’s version 1.10.0 or cherry-picking the specific fix is the recommended course of action.
Both these vulnerabilities have been patched in the latest InLong 1.10.0 release. So, the first line of defense is simple: upgrade! If immediate patching isn’t an option, you can also apply a cherry-pick fix to your specific InLong version.
