Apache InLong: JDBC Deserialization Vulnerability in InLong
Description
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.
It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability.
This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick [2] to solve it.
[1] https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html
https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html
[2] https://github.com/apache/inlong/pull/7422 https://github.com/apache/inlong/pull/7422
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong deserialization flaw allows authenticated users to execute arbitrary code via crafted JDBC URLs.
Vulnerability
Overview
CVE-2023-27296 is a deserialization of untrusted data vulnerability in Apache InLong, affecting versions 1.1.0 through 1.5.0 [2]. The flaw resides in the handling of MySQL JDBC URLs, where malicious input can trigger unsafe deserialization [2]. This issue was reported and addressed in a pull request that adds encoding checks to the JDBC URL [1].
Exploitation
Conditions
An attacker must be an authenticated user of Apache InLong to exploit this vulnerability [2]. By crafting a specially designed MySQL JDBC URL, the attacker can cause the server to deserialize untrusted data, leading to arbitrary code execution. The attack vector is network-based and requires low complexity.
Impact
Successful exploitation allows an attacker to execute arbitrary code on the server, potentially compromising the confidentiality, integrity, and availability of the system. The CVSS 4.0 severity has not been assigned by NVD, but given the impact, it is considered high risk.
Mitigation
Users should upgrade Apache InLong to the latest version or apply the cherry-pick from the referenced pull request [1][3]. No workarounds are mentioned beyond the removal of the affected versions. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:inlong-managerMaven | >= 1.1.0, < 1.6.0 | 1.6.0 |
Affected products
2- Range: 1.1.0
Patches
11ec92895349b[INLONG-7421][Manager] Add encoding check to the MySQL JDBC URL in MySQLDataNode (#7422)
2 files changed · +3 −4
inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/node/mysql/MySQLDataNodeDTO.java+2 −1 modified@@ -27,6 +27,7 @@ import org.apache.inlong.manager.common.enums.ErrorCodeEnum; import org.apache.inlong.manager.common.exceptions.BusinessException; import org.apache.inlong.manager.common.util.JsonUtils; +import org.apache.inlong.manager.pojo.sink.mysql.MySQLSinkDTO; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -77,6 +78,6 @@ public static String convertToJdbcurl(String url) { if (StringUtils.isNotBlank(jdbcUrl) && !jdbcUrl.startsWith(MYSQL_JDBC_PREFIX)) { jdbcUrl = MYSQL_JDBC_PREFIX + jdbcUrl; } - return jdbcUrl; + return MySQLSinkDTO.filterSensitive(jdbcUrl); } }
inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java+1 −3 modified@@ -17,7 +17,6 @@ package org.apache.inlong.manager.pojo.sink.mysql; -import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Strings; import io.swagger.annotations.ApiModelProperty; import lombok.AllArgsConstructor; @@ -217,8 +216,7 @@ public static String setDbNameToUrl(String jdbcUrl, String databaseName) { * @param url str may have some sensitive params * @return str without sensitive param */ - @VisibleForTesting - protected static String filterSensitive(String url) { + public static String filterSensitive(String url) { if (StringUtils.isBlank(url)) { return url; }
Vulnerability mechanics
Root cause
"Missing sanitization of JDBC URL parameters in MySQLDataNodeDTO allows injection of deserialization-triggering connection properties."
Attack vector
An authenticated InLong user can supply a crafted MySQL JDBC URL containing malicious connection properties (e.g., `autoDeserialize=true`, `queryInterceptors`) that trigger deserialization of untrusted data when the driver processes the URL [patch_id=1640956]. The `convertToJdbcurl()` method previously returned the URL unchanged, allowing an attacker to inject arbitrary serialized payloads. The attacker needs only valid InLong credentials and the ability to configure a MySQL data node.
Affected code
The vulnerability resides in `MySQLDataNodeDTO.convertToJdbcurl()` within `inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/node/mysql/MySQLDataNodeDTO.java`. This method constructs a JDBC URL from user-supplied input without sanitizing sensitive parameters. The fix reuses `MySQLSinkDTO.filterSensitive()` (made public from protected) to strip dangerous connection properties from the URL before returning it.
What the fix does
The patch makes `MySQLSinkDTO.filterSensitive()` public (was `protected`) and calls it from `MySQLDataNodeDTO.convertToJdbcurl()` to strip sensitive JDBC parameters before returning the URL [patch_id=1640956]. Previously, `convertToJdbcurl()` returned the user-supplied URL verbatim, enabling injection of deserialization-triggering properties. By reusing the existing filter logic, the fix ensures that dangerous connection parameters are removed regardless of which code path constructs the JDBC URL.
Preconditions
- authAttacker must have valid InLong authentication credentials
- inputAttacker must be able to configure or modify a MySQL data node's JDBC URL
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-gpqq-59rp-3c3wghsaADVISORY
- lists.apache.org/thread/xbvtjw9bwzgbo9fp1by8o3p49nf59xztghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-27296ghsaADVISORY
- github.com/apache/inlong/pull/7422ghsaWEB
- programmer.help/blogs/jdbc-deserialization-vulnerability-learning.htmlghsaWEB
News mentions
0No linked articles in our index yet.