CVE-2022-40955

HIGH

Apache InLong <1.3.0 - Deserialization

Title source: llm

Description

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.

References (2)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/09/22/5

[Issue Tracking, Mailing List, Patch, Vendor Advisory] https://lists.apache.org/thread/r1r34y7bchrpmp9jhfdoohzdmk7pj1q1

Scores

CVSS v3 8.8

EPSS 0.0381

EPSS Percentile 87.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/inlong < 1.3.0

org.apache.inlong/inlong-common < 1.3.0Maven

Timeline

Published Sep 20, 2022

Tracked Since Feb 18, 2026