CVE-2023-35088

moderate-risk
Published 2023-07-25

Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.  In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8198

Do I need to act?

-
0.39% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Apache

References (6)

Mailing List http://seclists.org/fulldisclosure/2023/Jul/43
Mailing List http://www.openwall.com/lists/oss-security/2023/07/25/4
Mailing List https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk
Mailing List http://seclists.org/fulldisclosure/2023/Jul/43
Mailing List http://www.openwall.com/lists/oss-security/2023/07/25/4
Mailing List https://lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tk
38
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal