CVE-2025-27528 (GCVE-0-2025-27528)
Vulnerability from cvelistv5
Published
2025-05-28 08:12
Modified
2025-05-28 13:20
Severity ?
CWE
  • CWE-502 - Deserialization of Untrusted Data
Summary
Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747
References
security@apache.orghttps://github.com/apache/inlong/pull/11747Issue Tracking
security@apache.orghttps://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgjVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2025/05/28/3Mailing List, Third Party Advisory
Impacted products
Vendor Product Version
Apache Software Foundation Apache InLong Version: 1.13.0    2.1.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-05-28T09:04:24.174Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/05/28/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27528",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-28T13:20:18.115387Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-28T13:20:49.864Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache InLong",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.1.0",
              "status": "affected",
              "version": "1.13.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "yulat"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "m4x"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "h3h3qaq"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Apache InLong.\u003c/p\u003e\u003cp\u003eThis issue affects Apache InLong: from 1.13.0 through 2.1.0. \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis\nvulnerability allows attackers to bypass the security mechanisms of InLong\nJDBC and leads to arbitrary file reading.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers are advised to upgrade to Apache InLong\u0027s 2.2.0 or cherry-pick [1] to solve it.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e[1] \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/11747\"\u003ehttps://github.com/apache/inlong/pull/11747\u003c/a\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.\n\nThis issue affects Apache InLong: from 1.13.0 through 2.1.0. \n\nThis\nvulnerability allows attackers to bypass the security mechanisms of InLong\nJDBC and leads to arbitrary file reading.\u00a0Users are advised to upgrade to Apache InLong\u0027s 2.2.0 or cherry-pick [1] to solve it.\n\n[1]  https://github.com/apache/inlong/pull/11747"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-28T08:12:27.609Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/inlong/pull/11747"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-27528",
    "datePublished": "2025-05-28T08:12:27.609Z",
    "dateReserved": "2025-02-27T07:32:40.617Z",
    "dateUpdated": "2025-05-28T13:20:49.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-27528\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2025-05-28T08:15:21.830\",\"lastModified\":\"2025-06-03T15:36:47.120\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Deserialization of Untrusted Data vulnerability in Apache InLong.\\n\\nThis issue affects Apache InLong: from 1.13.0 through 2.1.0. \\n\\nThis\\nvulnerability allows attackers to bypass the security mechanisms of InLong\\nJDBC and leads to arbitrary file reading.\u00a0Users are advised to upgrade to Apache InLong\u0027s 2.2.0 or cherry-pick [1] to solve it.\\n\\n[1]  https://github.com/apache/inlong/pull/11747\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Apache InLong. Este problema afecta a Apache InLong desde la versi\u00f3n 1.13.0 hasta la 2.1.0. Esta vulnerabilidad permite a los atacantes eludir los mecanismos de seguridad de InLong JDBC y permite la lectura arbitraria de archivos. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.2.0 de Apache InLong o seleccionar cuidadosamente [1] para solucionarlo. [1] https://github.com/apache/inlong/pull/11747\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.13.0\",\"versionEndExcluding\":\"2.2.0\",\"matchCriteriaId\":\"BBE3933A-B8FF-4352-817C-AA8F96DB4434\"}]}]}],\"references\":[{\"url\":\"https://github.com/apache/inlong/pull/11747\",\"source\":\"security@apache.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/05/28/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/05/28/3\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-05-28T09:04:24.174Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-27528\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-28T13:20:18.115387Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-28T13:20:44.495Z\"}}], \"cna\": {\"title\": \"Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"yulat\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"m4x\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"h3h3qaq\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache InLong\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.13.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.1.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/apache/inlong/pull/11747\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Deserialization of Untrusted Data vulnerability in Apache InLong.\\n\\nThis issue affects Apache InLong: from 1.13.0 through 2.1.0. \\n\\nThis\\nvulnerability allows attackers to bypass the security mechanisms of InLong\\nJDBC and leads to arbitrary file reading.\\u00a0Users are advised to upgrade to Apache InLong\u0027s 2.2.0 or cherry-pick [1] to solve it.\\n\\n[1]  https://github.com/apache/inlong/pull/11747\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eDeserialization of Untrusted Data vulnerability in Apache InLong.\u003c/p\u003e\u003cp\u003eThis issue affects Apache InLong: from 1.13.0 through 2.1.0. \\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThis\\nvulnerability allows attackers to bypass the security mechanisms of InLong\\nJDBC and leads to arbitrary file reading.\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: var(--wht);\\\"\u003eUsers are advised to upgrade to Apache InLong\u0027s 2.2.0 or cherry-pick [1] to solve it.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e[1] \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://github.com/apache/inlong/pull/11747\\\"\u003ehttps://github.com/apache/inlong/pull/11747\u003c/a\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2025-05-28T08:12:27.609Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-27528\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-28T13:20:49.864Z\", \"dateReserved\": \"2025-02-27T07:32:40.617Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2025-05-28T08:12:27.609Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.