Severity
High
Analysis Summary
CVE-2023-34434 CVSS:7.5
Apache InLong could allow a remote attacker to obtain sensitive information, caused by an unsafe deserialization flaw by the allowLoadLocalInfileInPath parameter. By sending a specially crafted request, an attacker could exploit this vulnerability to read arbitrary files, and use this information to launch further attacks against the affected system.
CVE-2023-34189 CVSS:8.1
Apache InLong could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially crafted request, an attacker could exploit this vulnerability to delete and update the process.
CVE-2023-35088 CVSS:6.5
Apache InLong is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements to the audit endpoint, which could allow the attacker to view, add, modify or delete information in the back-end database.
Impact
- Information Disclosure
- Security Bypass
- Data Manipulation
Indicators Of Compromise
CVE
- CVE-2023-34434
- CVE-2023-34189
- CVE-2023-35088
Affected Vendors
Apache
Affected Products
- Apache InLong 1.4.0
- Apache InLong 1.5.0
- Apache InLong 1.6.0
- Apache InLong 1.7.0
Remediation
Upgrade to the latest version of Apache InLong, available from the Apache Web site.