CVE-2024-26580: Apache InLong: Logged-in user could exploit an arbitrary file read vulnerability

March 6, 2024 (updated March 7, 2024)

Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can

use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong’s 1.11.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/9673

References

github.com/advisories/GHSA-p2gx-4434-pf6g
github.com/apache/inlong
github.com/apache/inlong/commit/1b63af3e1f208602f60b5ce19af7413443c3027c
github.com/apache/inlong/pull/9673
lists.apache.org/thread/xvomf66l58x4dmoyzojflvx52gkzcdmk
nvd.nist.gov/vuln/detail/CVE-2024-26580

Detect and mitigate CVE-2024-26580 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →