Charles Zhang

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.4.0 through 1.8.0 **Description** The issue is related to Insufficient Verification of Data Authenticity in Apache InLong, allowing a general user to view all user data, including data from Admin accounts. **Recommendations** For Apache InLong versions 1.4.0 through 1.8.0, upgrade to Apache InLong's 1.9.0 or cherry-pick the provided patch to solve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.4.0 through 1.7.0 **Description** The issue is related to an SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This occurs in the `toAuditCkSql` method where the `groupId`, `streamId`, `auditId`, and `dt` are directly concatenated into the SQL query statement, potentially leading to SQL injection attacks. **Recommendations** To resolve the issue, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick the solution provided in https://github.com/apache/inlong/pull/8198. As a temporary workaround, consider restricting the input for the `groupId`, `streamId`, `auditId`, and `dt` variables to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.4.0 through 1.7.0 **Description** The issue allows an attacker to use general users to delete and update processes that should only be operable by admins. **Recommendations** For versions 1.4.0 through 1.7.0, upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8109 to solve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.1.0 through 1.6.0 **Description** The issue is related to weak password requirements in Apache InLong. When users change their password to a simple password, attackers can easily guess the user's password and access the account. This allows a remote attacker to gain access to a user's account. **Recommendations** To solve the issue, users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7805. As a temporary workaround, consider implementing strong password policies to minimize the risk of exploitation. Restrict access to accounts with simple passwords to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.2.0 through 1.6.0 **Description** The issue is related to an incorrect permission assignment for a critical resource in Apache InLong, allowing a remote attacker to elevate their privileges and bind any cluster, even if they are not the cluster owner. **Recommendations** For Apache InLong versions 1.2.0 through 1.6.0, users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick the solution from https://github.com/apache/inlong/pull/7947 to solve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.2.0 through 1.6.0 **Description** The issue affects Apache InLong, allowing a user to cancel an application that does not belong to them. This is related to the use of files and directories accessible to external parties due to incorrect restriction of the directory path name with limited access when loading files. Exploitation of this issue may allow a remote attacker to execute arbitrary code. **Recommendations** For Apache InLong versions 1.2.0 through 1.6.0, users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7799 to solve the issue. As a temporary workaround, consider restricting access to sensitive applications to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache InLong versions 1.4.0 through 1.6.0 **Description** The issue is related to the use of files and directories accessible to external parties, which can be exploited by a remote attacker to execute arbitrary code. Different users in InLong could delete, edit, stop, and start others' sources. **Recommendations** For Apache InLong versions 1.4.0 through 1.6.0, upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7775 to solve the issue. As a temporary workaround, consider restricting access to sensitive sources and directories to minimize the risk of exploitation.