VYPR
← All advisories
High severityNVD Advisory· Published Feb 1, 2023· Updated Mar 27, 2025

Apache InLong: Jdbc Connection causes arbitrary file reading in InLong

CVE-2023-24977

Description

Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7214 https://github.com/apache/inlong/pull/7214  to solve it.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache InLong versions 1.1.0 through 1.5.0 contain an out-of-bounds read vulnerability in the Manager module when processing MySQL JDBC URLs.

CVE-2023-24977: Out-of-Bounds Read in Apache InLong

Apache InLong, a one-stop integration framework for massive data, is affected by an out-of-bounds read vulnerability in versions 1.1.0 through 1.5.0. The flaw resides in the Manager component, which fails to properly validate encoding and certain unsafe parameters in MySQL JDBC URLs. This allows an attacker to craft a URL that triggers an out-of-bounds memory read, potentially exposing sensitive information.

The issue is addressed in GitHub pull request #7214, which adds a check for URL encoding and blocks three unsafe parameters (allowLoadLocalInfile, allowUrlInLocalInfile, allowLoadLocalInfileInPath) known to cause arbitrary file reading problems [3]. An attacker can exploit this by supplying a malicious JDBC URL to the Manager module, possibly without authentication depending on the deployment configuration.

Successful exploitation could lead to information disclosure through the out-of-bounds read, potentially leaking memory contents. The official advisory [1] recommends upgrading to the latest version of Apache InLong or applying the cherry-pick of PR #7214 to mitigate the vulnerability.

At the time of writing, no public exploit code has been reported, and Apache has not listed this CVE in the Known Exploited Vulnerabilities catalog. Users are strongly advised to update immediately as the vulnerability poses a risk to data confidentiality.

References
  1. NVD - CVE-2023-24977
  2. [INLONG-7213][Manager] Add encoding check to the MySQL JDBC URL by fuweng11 · Pull Request #7214 · apache/inlong

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.inlong:inlongMaven
>= 1.1.0, <= 1.5.0

Affected products

3

Patches

1
9008b6dcb8cc

[INLONG-7213][Manager] Add encoding check to the MySQL JDBC URL (#7214)

https://github.com/apache/inlongfuweng11Jan 11, 2023via ghsa-ref
commitPR #7214
2 files changed · +68 19
  • inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java+25 9 modified
    @@ -32,6 +32,8 @@
 import org.slf4j.LoggerFactory;
 
 import javax.validation.constraints.NotNull;
+import java.net.URLDecoder;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -47,8 +49,16 @@ public class MySQLSinkDTO {
     /**
      * The sensitive param may lead the attack.
      */
-    private static final String SENSITIVE_PARAM_TRUE = "autoDeserialize=true";
-    private static final String SENSITIVE_PARAM_FALSE = "autoDeserialize=false";
+    private static final Map<String, String> SENSITIVE_PARAM_MAP = new HashMap<String, String>() {
+
+        {
+            put("autoDeserialize=true", "autoDeserialize=false");
+            put("allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
+            put("allowUrlInLocalInfile=true", "allowUrlInLocalInfile=false");
+            put("allowLoadLocalInfileInPath=/", "allowLoadLocalInfileInPath=");
+        }
+    };
+
     private static final Logger LOGGER = LoggerFactory.getLogger(MySQLSinkDTO.class);
 
     @ApiModelProperty("MySQL JDBC URL, such as jdbc:mysql://host:port/database")
@@ -178,14 +188,20 @@ protected static String filterSensitive(String url) {
         if (StringUtils.isBlank(url)) {
             return url;
         }
-
-        String resultUrl = url;
-        if (StringUtils.containsIgnoreCase(url, SENSITIVE_PARAM_TRUE)) {
-            resultUrl = StringUtils.replaceIgnoreCase(url, SENSITIVE_PARAM_TRUE, SENSITIVE_PARAM_FALSE);
+        try {
+            String resultUrl = URLDecoder.decode(url, "UTF-8");
+            for (String sensitiveParam : SENSITIVE_PARAM_MAP.keySet()) {
+                if (StringUtils.containsIgnoreCase(resultUrl, sensitiveParam)) {
+                    resultUrl = StringUtils.replaceIgnoreCase(resultUrl, sensitiveParam,
+                            SENSITIVE_PARAM_MAP.get(sensitiveParam));
+                }
+            }
+            LOGGER.info("the origin url [{}] was replaced to: [{}]", url, resultUrl);
+            return resultUrl;
+        } catch (Exception e) {
+            throw new BusinessException(ErrorCodeEnum.SINK_INFO_INCORRECT,
+                    ErrorCodeEnum.SINK_INFO_INCORRECT.getMessage() + ": " + e.getMessage());
         }
-
-        LOGGER.debug("the origin url [{}] was replaced to: [{}]", url, resultUrl);
-        return resultUrl;
     }
 
 }
  • inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java+43 10 modified
    @@ -20,25 +20,58 @@
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 
+import java.net.URLEncoder;
+
 /**
  * Test for {@link MySQLSinkDTO}
  */
 public class MySQLSinkDTOTest {
 
     @Test
-    public void testFilterSensitive() {
-        // the sensitive params at the first
-        String originUrl = MySQLSinkDTO.filterSensitive("autoDeserialize=TRue&autoReconnect=true");
-        Assertions.assertEquals("autoDeserialize=false&autoReconnect=true", originUrl);
+    public void testFilterSensitive() throws Exception {
+        // the sensitive params no use url code
+        String originUrl = MySQLSinkDTO.filterSensitive(
+                "autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true");
+        Assertions.assertEquals(
+                "autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=&autoReconnect=true",
+                originUrl);
+
+        originUrl = MySQLSinkDTO.filterSensitive(
+                "autoReconnect=true&autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
+        Assertions.assertEquals(
+                "autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                originUrl);
+
+        originUrl = MySQLSinkDTO.filterSensitive(
+                "autoDeserialize=TRue&allowLoadLocalInfile=TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
+        Assertions.assertEquals(
+                "autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                originUrl);
+
+        // the sensitive params use url code
+        originUrl = MySQLSinkDTO.filterSensitive(
+                URLEncoder.encode(
+                        "autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true",
+                        "UTF-8"));
+        Assertions.assertEquals(
+                "autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=&autoReconnect=true",
+                originUrl);
 
-        // the sensitive params at the end
-        originUrl = MySQLSinkDTO.filterSensitive("autoReconnect=true&autoDeserialize=trUE");
-        Assertions.assertEquals("autoReconnect=true&autoDeserialize=false", originUrl);
+        originUrl = MySQLSinkDTO.filterSensitive(
+                URLEncoder.encode(
+                        "autoReconnect=true&autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
+                        "UTF-8"));
+        Assertions.assertEquals(
+                "autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                originUrl);
 
-        // the sensitive params in the middle
         originUrl = MySQLSinkDTO.filterSensitive(
-                "useSSL=false&autoDeserialize=TRUE&autoReconnect=true");
-        Assertions.assertEquals("useSSL=false&autoDeserialize=false&autoReconnect=true", originUrl);
+                URLEncoder.encode(
+                        "autoDeserialize=TRue&allowLoadLocalInfile=TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
+                        "UTF-8"));
+        Assertions.assertEquals(
+                "autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                originUrl);
     }
 
 }

Vulnerability mechanics

Root cause

"Missing URL decoding before filtering sensitive JDBC URL parameters allows bypass via URL-encoded payloads."

Attack vector

An attacker who can supply or influence the MySQL JDBC URL used by Apache InLong can inject sensitive parameters such as `autoDeserialize=true`, `allowLoadLocalInfile=true`, `allowUrlInLocalInfile=true`, or `allowLoadLocalInfileInPath=/`. By URL-encoding these parameters, the attacker can bypass the original filter, which only performed a case-insensitive string replacement for `autoDeserialize=true`. When the JDBC driver processes the decoded URL, these parameters enable deserialization attacks or local file inclusion, leading to an out-of-bounds read condition [patch_id=1641080].

Affected code

The vulnerability resides in `MySQLSinkDTO.filterSensitive()` within `inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java`. The original code only checked for the single sensitive parameter `autoDeserialize=true` and did not URL-decode the input before filtering, allowing attackers to bypass the check by URL-encoding the malicious parameters.

What the fix does

The patch modifies `filterSensitive()` to first URL-decode the input URL using `URLDecoder.decode(url, "UTF-8")` before applying any filtering [patch_id=1641080]. It also replaces the single hardcoded sensitive parameter check with a `Map` containing four sensitive parameter pairs: `autoDeserialize`, `allowLoadLocalInfile`, `allowUrlInLocalInfile`, and `allowLoadLocalInfileInPath`. This ensures that URL-encoded attack payloads are decoded and then neutralized, closing the bypass vector.

Preconditions

  • inputAttacker must be able to supply or control the MySQL JDBC URL configuration in Apache InLong (e.g., via sink configuration).
  • configThe affected version must be Apache InLong from 1.1.0 through 1.5.0.

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.