Severity
High
Analysis Summary
CVE-2023-31058 CVSS:8.8
Apache InLong could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw by the autoDeserialize option . By sending specially crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-31064 CVSS:6.5
Apache InLong could allow a remote authenticated attacker to bypass security restrictions, caused by an insecurity direct object references flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to cancel an application.
CVE-2023-31065 CVSS:8.1
Apache InLong could allow a remote authenticated attacker to bypass security restrictions, caused by an insufficient session expiration flaw after user deleted or password changed. By sending a specially crafted request, an attacker could exploit this vulnerability to re use the old session to gain access to the system.
CVE-2023-31066 CVSS:6.5
Apache InLong could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure direct object references flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to delete, edit, stop, and start others’ sources.
CVE-2023-31098 CVSS:7.5
Apache InLong could provide weaker than expected security, caused by the use of a weak password requirements. A remote attacker could exploit this vulnerability to guess the user’s password and access the account.
CVE-2023-31101 CVSS:6.5
Apache InLong could allow a remote authenticated attacker to obtain sensitive information, caused by an insecure default initialization of resource flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to see deleted users’ data, and use this information to launch further attacks against the affected system.
CVE-2023-31103 CVSS:6.5
Apache InLong could allow a remote authenticated attacker to bypass security restrictions, caused by an exposure of resource to wrong sphere flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to change the immutable name and type of cluster.
CVE-2023-31206 CVSS:6.5
Apache InLong could allow a remote authenticated attacker to bypass security restrictions, caused by an exposure of resource to wrong sphere flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to change the immutable name and type of nodes.
CVE-2023-31453 CVSS:6.5
Apache InLong could allow a remote authenticated attacker to bypass security restrictions, caused by an incorrect permission assignment for critical resource flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to delete arbitrary subscriptions.
CVE-2023-31454 CVSS:6.5
Apache InLong could allow a remote authenticated attacker to bypass security restrictions, caused by an incorrect permission assignment for critical resource flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to bind arbitrary clusters.
Impact
- Code Execution
- Security Bypass
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2023-25927
Affected Vendors
Apache
Affected Products
- Apache InLong 1.4.0
- Apache InLong 1.2.0
- Apache InLong 1.1.0
- Apache InLong 1.5.0
- Apache InLong 1.6.0
Remediation
Upgrade to the latest version of Apache InLong, available from the InLong GIT Repository.