CVE-2023-27296 - Vulnerability Details - OpenCVE

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it. [1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Apache	Inlong

Configuration 1 [-]

cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread/xbvtjw9bwzgbo9fp1by8o3p49nf59xzt

History

Wed, 23 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-03-27T14:10:32.785Z

Updated: 2024-10-23T16:39:30.822Z

Reserved: 2023-02-28T02:47:39.202Z

Link: CVE-2023-27296

Vulnrichment

Updated: 2024-08-02T12:09:43.156Z

NVD

Status : Modified

Published: 2023-03-27T15:15:08.650

Modified: 2024-11-21T07:52:36.060

Link: CVE-2023-27296

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-27296", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-02-28T02:47:39.202Z", "datePublished": "2023-03-27T14:10:32.785Z", "dateUpdated": "2024-10-23T16:39:30.822Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache InLong", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.5.0", "status": "affected", "version": "1.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "escape Wang"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.<br><br><span style=\"background-color: rgb(255, 255, 255);\">It could be triggered by authenticated users of InLong, </span>you could refer to [1] to know more about this vulnerability.<br><br>This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it.<br><br>\n\n<span style=\"background-color: rgb(255, 255, 255);\">[1] </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html\">https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html<br><br></a>\n\n<span style=\"background-color: rgb(255, 255, 255);\">[2] </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/7422\">https://github.com/apache/inlong/pull/7422</a>\n\n<br><br>"}], "value": "Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.\n\nIt could be triggered by authenticated users of InLong,\u00a0you could refer\u00a0to [1]\u00a0to know more about this\u00a0vulnerability.\n\nThis issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2]\u00a0to solve it.\n\n\n\n[1]\u00a0 https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html\n\n https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html \n\n[2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 \n\n\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-03-27T14:10:32.785Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/xbvtjw9bwzgbo9fp1by8o3p49nf59xzt"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache InLong: JDBC Deserialization Vulnerability in InLong", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:09:43.156Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/xbvtjw9bwzgbo9fp1by8o3p49nf59xzt"}]}, {"affected": [{"vendor": "apache", "product": "inlong", "cpes": ["cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.1.0", "status": "affected", "lessThanOrEqual": "1.5.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-23T16:31:47.541688Z", "id": "CVE-2023-27296", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T16:39:30.822Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/xbvtjw9bwzgbo9fp1by8o3p49nf59xzt", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:09:43.156Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-27296", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-23T16:31:47.541688Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "inlong", "versions": [{"status": "affected", "version": "1.1.0", "versionType": "custom", "lessThanOrEqual": "1.5.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T16:39:25.846Z"}}], "cna": {"title": "Apache InLong: JDBC Deserialization Vulnerability in InLong", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "escape Wang"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache InLong", "versions": [{"status": "affected", "version": "1.1.0", "versionType": "semver", "lessThanOrEqual": "1.5.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/xbvtjw9bwzgbo9fp1by8o3p49nf59xzt", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.\n\nIt could be triggered by authenticated users of InLong,\u00a0you could refer\u00a0to [1]\u00a0to know more about this\u00a0vulnerability.\n\nThis issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2]\u00a0to solve it.\n\n\n\n[1]\u00a0 https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html\n\n https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html \n\n[2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 \n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.<br><br><span style=\"background-color: rgb(255, 255, 255);\">It could be triggered by authenticated users of InLong, </span>you could refer to [1] to know more about this vulnerability.<br><br>This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it.<br><br>\n\n<span style=\"background-color: rgb(255, 255, 255);\">[1] </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html\">https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html<br><br></a>\n\n<span style=\"background-color: rgb(255, 255, 255);\">[2] </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/7422\">https://github.com/apache/inlong/pull/7422</a>\n\n<br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-03-27T14:10:32.785Z"}}}, "cveMetadata": {"cveId": "CVE-2023-27296", "state": "PUBLISHED", "dateUpdated": "2024-10-23T16:39:30.822Z", "dateReserved": "2023-02-28T02:47:39.202Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-03-27T14:10:32.785Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B76100A-B84F-42E0-98DD-8637E4B5C63A", "versionEndIncluding": "1.5.0", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.\n\nIt could be triggered by authenticated users of InLong,\u00a0you could refer\u00a0to [1]\u00a0to know more about this\u00a0vulnerability.\n\nThis issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2]\u00a0to solve it.\n\n\n\n[1]\u00a0 https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html\n\n https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html \n\n[2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422 \n\n\n\n"}], "id": "CVE-2023-27296", "lastModified": "2024-11-21T07:52:36.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-03-27T15:15:08.650", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://lists.apache.org/thread/xbvtjw9bwzgbo9fp1by8o3p49nf59xzt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Vendor Advisory"], "url": "https://lists.apache.org/thread/xbvtjw9bwzgbo9fp1by8o3p49nf59xzt"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}