CVE-2023-30465

Name of the Vulnerable Software and Affected Versions Apache InLong versions 1.4.0 through 1.5.0

Description The issue is related to an SQL Injection vulnerability. By manipulating the orderType parameter, an attacker can extract the username of the user with ID 1 from the "user" table, one character at a time, using an SQL injection attack.

Recommendations To resolve the issue, upgrade to Apache InLong's 1.6.0 or cherry-pick the fix from PR #7529 or PR #7530. As a temporary workaround, consider restricting access to the orderType parameter to minimize the risk of exploitation.