PT-2022-4972 · Apache · Apache Inlong

4Ra1N

Published

2022-09-15

Updated

2025-05-29

CVE-2022-40955

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache InLong versions prior to 1.3.0

Description The issue is related to the deserialization of untrusted data in the MySQL JDBC connection URL parameters, potentially leading to Remote Code Execution on the Apache InLong server. An attacker with sufficient privileges to specify these parameters and write arbitrary data to the MySQL database could exploit this issue.

Recommendations For versions prior to 1.3.0, upgrade to Apache InLong 1.3.0 or newer. As a temporary workaround, consider restricting access to the MySQL database and limiting privileges to specify MySQL JDBC connection URL parameters until a patch is applied.

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-641CWE-502

Related Identifiers

BDU:2022-06168

CVE-2022-40955

GHSA-26M4-QJP9-XMC6

Affected Products

Apache Inlong

PT-2022-4972 · Apache · Apache Inlong

CVE-2022-40955

Weakness Enumeration

Related Identifiers

Affected Products

References · 14