CVE-2023-30465

moderate-risk

Published 2023-04-11

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the "orderType" parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the user with ID 1 from the "user" table, one character at a time. Users are advised to upgrade to Apache InLong's 1.6.0 or cherry-pick [1] to solve it. https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html [1] https://github.com/apache/inlong/issues/7529 https://github.com/apache/inlong/issues/7529

Do I need to act?

0.57% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Inlong

Affected Vendors

Apache

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2023/04/11/2

Mailing List https://lists.apache.org/thread/mrh4nr3jrlbj6nxkn4q8hddbfh1pnok0

Mailing List http://www.openwall.com/lists/oss-security/2023/04/11/2

Mailing List https://lists.apache.org/thread/mrh4nr3jrlbj6nxkn4q8hddbfh1pnok0

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 2/34 · Minimal

Exposure 7/34 · Low