fkie_cve-2025-27528
Vulnerability from fkie_nvd
Published
2025-05-28 08:15
Modified
2025-06-03 15:36
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747
References
security@apache.orghttps://github.com/apache/inlong/pull/11747Issue Tracking
security@apache.orghttps://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgjVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2025/05/28/3Mailing List, Third Party Advisory
Impacted products
Vendor Product Version
apache inlong *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BBE3933A-B8FF-4352-817C-AA8F96DB4434",
              "versionEndExcluding": "2.2.0",
              "versionStartIncluding": "1.13.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.\n\nThis issue affects Apache InLong: from 1.13.0 through 2.1.0. \n\nThis\nvulnerability allows attackers to bypass the security mechanisms of InLong\nJDBC and leads to arbitrary file reading.\u00a0Users are advised to upgrade to Apache InLong\u0027s 2.2.0 or cherry-pick [1] to solve it.\n\n[1]  https://github.com/apache/inlong/pull/11747"
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Apache InLong. Este problema afecta a Apache InLong desde la versi\u00f3n 1.13.0 hasta la 2.1.0. Esta vulnerabilidad permite a los atacantes eludir los mecanismos de seguridad de InLong JDBC y permite la lectura arbitraria de archivos. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.2.0 de Apache InLong o seleccionar cuidadosamente [1] para solucionarlo. [1] https://github.com/apache/inlong/pull/11747"
    }
  ],
  "id": "CVE-2025-27528",
  "lastModified": "2025-06-03T15:36:47.120",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-28T08:15:21.830",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/apache/inlong/pull/11747"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2025/05/28/3"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.