CVE-2022-40955

Deserialization attack in Apache InLong prior to version 1.3.0 allows RCE via JDBC

CVSS 8.8 HIGHEPSS 2.1%CWE-502

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.8EPSS 2.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

20 set 2022Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Produtos afetados

Apache Software Foundation · Apache InLong

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://lists.apache.org/thread/r1r34y7bchrpmp9jhfdoohzdmk7pj1q1 http://www.openwall.com/lists/oss-security/2022/09/22/5