CVE-2022-40955

moderate-risk

Published 2022-09-20

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.

Do I need to act?

3.9% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Inlong

Affected Vendors

Apache

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2022/09/22/5

Issue Tracking https://lists.apache.org/thread/r1r34y7bchrpmp9jhfdoohzdmk7pj1q1

Mailing List http://www.openwall.com/lists/oss-security/2022/09/22/5

Issue Tracking https://lists.apache.org/thread/r1r34y7bchrpmp9jhfdoohzdmk7pj1q1

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 7/34 · Low

Exposure 5/34 · Minimal