Critical severityNVD Advisory· Published Feb 1, 2023· Updated Mar 26, 2025

Apache InLong: Jdbc Connection Security Bypass

CVE-2023-24997

Description

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7223 https://github.com/apache/inlong/pull/7223 to solve it.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache InLong versions 1.1.0 through 1.5.0 contain a deserialization of untrusted data vulnerability in the Manager component, exploitable via a crafted MySQL JDBC URL.

Vulnerability

Description

CVE-2023-24997 is a deserialization of untrusted data vulnerability in the Apache InLong data integration framework. The flaw resides in the Manager component, where user-supplied MySQL JDBC URLs are not properly sanitized before being deserialized. This issue affects all versions from 1.1.0 up to and including 1.5.0 [1][2]. The root cause is insufficient input validation when processing JDBC URL parameters, allowing an attacker to inject malicious serialized objects.

Attack

Vector

An attacker with access to the InLong Manager interface can exploit this vulnerability by providing a crafted MySQL JDBC URL. This does not require authentication against a real MySQL server; the attacker only needs to control the JDBC URL field that the Manager will deserialize. The attack is network-based and does not require any special privileges other than the ability to configure a data source or sink within the InLong platform [1][2].

Impact

Successful exploitation allows an attacker to perform arbitrary code execution on the InLong Manager server. Because deserialization of untrusted data can lead to the instantiation of arbitrary classes, the attacker can deploy payloads that execute operating system commands, read sensitive files, or move laterally within the network. This gives the attacker full control over the integrity, confidentiality, and availability of the InLong instance and potentially the underlying host [2].

Mitigation

The fix is available via pull request #7223 on the Apache InLong GitHub repository, which implements thorough decoding and validation of the MySQL JDBC URL before deserialization [1][3]. Users should upgrade to a patched version (1.6.0 or later) or manually cherry-pick the commit from the pull request [2]. As of publication, no evidence exists that this vulnerability is actively exploited in the wild, but given the high severity, immediate remediation is recommended.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.inlong:inlongMaven	>= 1.1.0, <= 1.5.0	—

Affected products

Apache/Apache InLongllm-fuzzy2 versions
>=1.1.0 <=1.5.0+ 1 more
- (no CPE)range: >=1.1.0 <=1.5.0
- (no CPE)range: 1.1.0
ghsa-coords
pkg:maven/org.apache.inlong/inlong
Range: >= 1.1.0, <= 1.5.0

Patches

835f0d889fa1

[INLONG-7222][Manager] Decode the MySQL JDBC URL thoroughly (#7223)

https://github.com/apache/inlongfuweng11Jan 12, 2023via ghsa-ref

commit PR #7223

2 files changed · +7 −1

inlong-manager/manager-common/src/main/java/org/apache/inlong/manager/common/consts/InlongConstants.java+2 −0 modified

@@ -43,6 +43,8 @@ public class InlongConstants {
 
     public static final String LEFT_BRACKET = "(";
 
+    public static final String PERCENT = "%";
+
     public static final String ADMIN_USER = "admin";
 
     public static final Integer AFFECTED_ONE_ROW = 1;

inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java+5 −1 modified

@@ -25,6 +25,7 @@
 import lombok.Data;
 import lombok.NoArgsConstructor;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.inlong.manager.common.consts.InlongConstants;
 import org.apache.inlong.manager.common.enums.ErrorCodeEnum;
 import org.apache.inlong.manager.common.exceptions.BusinessException;
 import org.apache.inlong.manager.common.util.JsonUtils;
@@ -189,7 +190,10 @@ protected static String filterSensitive(String url) {
             return url;
         }
         try {
-            String resultUrl = URLDecoder.decode(url, "UTF-8");
+            String resultUrl = url;
+            while (resultUrl.contains(InlongConstants.PERCENT)) {
+                resultUrl = URLDecoder.decode(resultUrl, "UTF-8");
+            }
             for (String sensitiveParam : SENSITIVE_PARAM_MAP.keySet()) {
                 if (StringUtils.containsIgnoreCase(resultUrl, sensitiveParam)) {
                     resultUrl = StringUtils.replaceIgnoreCase(resultUrl, sensitiveParam,

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

github.com/advisories/GHSA-22j4-qc48-j8f8ghsaADVISORY
lists.apache.org/thread/nxvtxq7oxhwyzo9ty2hqz8rvh5r7ngd8ghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-24997ghsaADVISORY
github.com/apache/inlong/pull/7223ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000