Lujie.Ac.Cn

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.4.0 through 1.6.0 **Description** The issue is related to insufficient session expiration, allowing an old session to be used by an attacker even after the user has been deleted or the password has been changed. **Recommendations** For Apache InLong versions 1.4.0 through 1.6.0, upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 or https://github.com/apache/inlong/pull/7884 to solve the issue. As a temporary workaround, consider restricting access to sensitive areas of the application that rely on session authentication until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.5.0 through 1.6.0 **Description** This issue allows users registered in InLong who joined later to see deleted users' data. The problem is related to insecure default initialization of resources. **Recommendations** For Apache InLong versions 1.5.0 through 1.6.0, upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 to solve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.1.0 through 1.6.0 **Description** The issue is related to weak password requirements in Apache InLong. When users change their password to a simple password, attackers can easily guess the user's password and access the account. This allows a remote attacker to gain access to a user's account. **Recommendations** To solve the issue, users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805. As a temporary workaround, consider implementing strong password policies to minimize the risk of exploitation. Restrict access to accounts with simple passwords to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.2.0 through 1.6.0 **Description** The issue affects Apache InLong, allowing a user to cancel an application that does not belong to them. This is related to the use of files and directories accessible to external parties due to incorrect restriction of the directory path name with limited access when loading files. Exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** For Apache InLong versions 1.2.0 through 1.6.0, users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7799 to solve the issue. As a temporary workaround, consider restricting access to sensitive applications to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.4.0 through 1.6.0 **Description** The issue is related to the use of files and directories accessible to external parties, which can be exploited by a remote attacker to execute arbitrary code. Different users in InLong could delete, edit, stop, and start others' sources. **Recommendations** For Apache InLong versions 1.4.0 through 1.6.0, upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7775 to solve the issue. As a temporary workaround, consider restricting access to sensitive sources and directories to minimize the risk of exploitation.