{"id":2977,"date":"2025-05-29T15:37:12","date_gmt":"2025-05-29T15:37:12","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=2977"},"modified":"2025-05-29T15:37:12","modified_gmt":"2025-05-29T15:37:12","slug":"apache-inlong-jdbc-vulnerability-allows-deserialization-of-untrusted-information","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=2977","title":{"rendered":"Apache InLong JDBC Vulnerability Allows Deserialization of Untrusted Information"},"content":{"rendered":"


\n<\/p>\n

\n

A moderate-severity vulnerability, tracked as CVE-2025-27522<\/a>, has been disclosed in Apache InLong, a preferred knowledge integration platform. <\/p>\n

The flaw,<\/a> affecting variations 1.13.0 by means of 2.1.0, facilities on the deserialization of untrusted knowledge<\/em> throughout JDBC (Java Database Connectivity) verification processing. <\/p>\n

This vulnerability is assessed as a secondary mining bypass<\/em> for the beforehand reported CVE-2024-26579, indicating that earlier patches have been inadequate and attackers can nonetheless exploit the system by means of various vectors.<\/p>\n

– Commercial –<\/span>
\n\"Google<\/a><\/div>\n

Deserialization vulnerabilities happen when an utility processes knowledge that may be manipulated by an attacker, permitting them to execute arbitrary code or entry delicate info. <\/p>\n

On this case, the vulnerability permits risk actors to bypass safety mechanisms within the InLong JDBC part, probably resulting in unauthorized knowledge manipulation or info disclosure.<\/p>\n

Technical Particulars and Influence<\/strong><\/h2>\n

The vulnerability is rooted in the way in which Apache InLong handles serialized knowledge throughout verification. <\/p>\n

Particularly, the system fails to adequately validate or sanitize incoming serialized objects, opening the door for attackers to craft malicious payloads. <\/p>\n

When these payloads are deserialized, they will set off unintended behaviors, resembling arbitrary file studying or code execution.<\/p>\n

The Frequent Weak point Enumeration (CWE) identifier for this challenge is CWE-502: Deserialization of Untrusted Information<\/em>. <\/p>\n

The vulnerability is network-exploitable and doesn’t require consumer interplay, with a CVSS v3.1 base rating estimated between 5.3 and 6.5, reflecting a reasonable to excessive threat profile. <\/p>\n

Though there may be at the moment no public proof-of-concept <\/a>or proof of energetic exploitation, the potential for knowledge breaches or system compromise stays vital.<\/p>\n

Affected Variations and Elements<\/strong><\/h2>\n

The next desk summarizes the affected merchandise and really useful remediation steps:<\/p>\n

\n\n\n\n\n\n\n
Affected Software program<\/th>\nAffected Variations<\/th>\nMounted Model \/ Patch<\/th>\n<\/tr>\n<\/thead>\n
Apache InLong<\/td>\n1.13.0 \u2013 2.1.0<\/td>\n2.2.0 or cherry-pick #11732<\/td>\n<\/tr>\n
maven\/org.apache.inlong:manager-pojo<\/td>\n1.13.0 \u2013 2.2.0<\/td>\n2.2.0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Mitigation and Suggestions<\/strong><\/h2>\n

To handle CVE-2025-27522, Apache advises all customers to improve to model 2.2.0 of InLong or apply the patch accessible in GitHub pull request #11732. <\/p>\n

Extra greatest practices embrace:<\/p>\n