CVE-2024-26580 - Vulnerability Details - OpenCVE

Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Apache	Inlong

Configuration 1 [-]

cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/03/06/1
https://lists.apache.org/thread/xvomf66l58x4dmoyzojflvx52gkzcdmk

History

Wed, 07 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:inlong::::::::

Thu, 13 Feb 2025 17:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673	Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can use the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/9673

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-03-06T12:07:28.140Z

Updated: 2025-02-13T17:41:17.092Z

Reserved: 2024-02-19T09:32:54.853Z

Link: CVE-2024-26580

Vulnrichment

Updated: 2024-08-02T00:07:19.633Z

NVD

Status : Analyzed

Published: 2024-03-06T12:15:45.743

Modified: 2025-05-07T15:45:54.993

Link: CVE-2024-26580

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26580", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-02-19T09:32:54.853Z", "datePublished": "2024-03-06T12:07:28.140Z", "dateUpdated": "2025-02-13T17:41:17.092Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache InLong", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.10.0", "status": "affected", "version": "1.4.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "an4er"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.<p>This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can \n\n<span style=\"background-color: rgb(255, 255, 255);\">use the specific payload to read from an arbitrary file</span>. <span style=\"background-color: var(--wht);\">Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it.</span></p>\n\n<p><span style=\"background-color: rgb(255, 255, 255);\">[1] <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/9673\">https://github.com/apache/inlong/pull/9673</a></span></p>\n\n<p></p>"}], "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can \n\nuse the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it.\n\n[1] https://github.com/apache/inlong/pull/9673"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-05-01T18:12:27.098Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/xvomf66l58x4dmoyzojflvx52gkzcdmk"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/06/1"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache InLong: Logged-in user could exploit an arbitrary file read vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "affected": [{"vendor": "apache", "product": "inlong", "cpes": ["cpe:2.3:a:apache:inlong:1.4.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "1.4.0", "status": "affected", "lessThanOrEqual": "1.10.0", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-26T15:08:04.403930Z", "id": "CVE-2024-26580", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T15:09:14.088Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.633Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/xvomf66l58x4dmoyzojflvx52gkzcdmk"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/06/1", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/xvomf66l58x4dmoyzojflvx52gkzcdmk", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/06/1", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.633Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-26580", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-26T15:08:04.403930Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:inlong:1.4.0:*:*:*:*:*:*:*"], "vendor": "apache", "product": "inlong", "versions": [{"status": "affected", "version": "1.4.0", "versionType": "semver", "lessThanOrEqual": "1.10.0"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-26T15:08:29.600Z"}}], "cna": {"title": "Apache InLong: Logged-in user could exploit an arbitrary file read vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "an4er"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache InLong", "versions": [{"status": "affected", "version": "1.4.0", "versionType": "semver", "lessThanOrEqual": "1.10.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/xvomf66l58x4dmoyzojflvx52gkzcdmk", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/06/1"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can \n\nuse the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it.\n\n[1] https://github.com/apache/inlong/pull/9673", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.<p>This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can \n\n<span style=\"background-color: rgb(255, 255, 255);\">use the specific payload to read from an arbitrary file</span>. <span style=\"background-color: var(--wht);\">Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it.</span></p>\n\n<p><span style=\"background-color: rgb(255, 255, 255);\">[1] <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/9673\">https://github.com/apache/inlong/pull/9673</a></span></p>\n\n<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-05-01T18:12:27.098Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26580", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:41:17.092Z", "dateReserved": "2024-02-19T09:32:54.853Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-03-06T12:07:28.140Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:inlong:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B78599C-0495-4414-84C0-9AA896FCF64A", "versionEndExcluding": "1.11.0", "versionStartIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.8.0 through 1.10.0, the attackers can \n\nuse the specific payload to read from an arbitrary file. Users are advised to upgrade to Apache InLong's 1.11.0 or cherry-pick [1] to solve it.\n\n[1] https://github.com/apache/inlong/pull/9673"}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Apache InLong. Este problema afecta a Apache InLong: desde 1.8.0 hasta 1.10.0, los atacantes pueden usar el payload espec\u00edfica para leer desde un archivo arbitrario. Se recomienda a los usuarios actualizar a Apache InLong 1.11.0 o seleccionar [1] para resolverlo. [1] https://github.com/apache/inlong/pull/9673"}], "id": "CVE-2024-26580", "lastModified": "2025-05-07T15:45:54.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-06T12:15:45.743", "references": [{"source": "[email protected]", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/03/06/1"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/xvomf66l58x4dmoyzojflvx52gkzcdmk"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/03/06/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/xvomf66l58x4dmoyzojflvx52gkzcdmk"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}