Escape Wang

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.2.0 through 1.6.0 **Description** This issue is related to improper privilege management. When an attacker has access to a valid but unprivileged account, the exploit can be executed using Burp Suite by sending a login request and following it with a subsequent HTTP request using the returned cookie. **Recommendations** To solve this issue, users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.4.0 through 1.5.0 **Description** The issue is related to an SQL Injection vulnerability. By manipulating the `orderType` parameter, an attacker can extract the username of the user with ID 1 from the "user" table, one character at a time, using an SQL injection attack. **Recommendations** To resolve the issue, upgrade to Apache InLong's 1.6.0 or cherry-pick the fix from PR #7529 or PR #7530. As a temporary workaround, consider restricting access to the `orderType` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.1.0 through 1.5.0 **Description** The issue is related to the deserialization of untrusted data in Apache InLong, which could be triggered by authenticated users. This vulnerability affects the MySQLDataNode due to the deserialization of untrusted data from the MySQL JDBC URL. **Recommendations** For Apache InLong versions 1.1.0 through 1.5.0, users are advised to upgrade to Apache InLong's latest version or cherry-pick the patch to solve the issue. As a temporary workaround, consider restricting access to the MySQLDataNode to minimize the risk of exploitation.