Apache InLong: SQL injection in apache inLong 1.5.0
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the "orderType" parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the user with ID 1 from the "user" table, one character at a time. Users are advised to upgrade to Apache InLong's 1.6.0 or cherry-pick [1] to solve it.
https://programmer.help/blogs/jdbc-deserialization-vulnerability-learning.html
[1] https://github.com/apache/inlong/issues/7529 https://github.com/apache/inlong/issues/7529
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Apache InLong 1.4.0-1.5.0 via the 'orderType' parameter allows attackers to extract usernames from the user table.
CVE-2023-30465 is an SQL injection vulnerability in Apache InLong versions 1.4.0 through 1.5.0. The root cause is improper neutralization of special elements used in an SQL command, specifically within the handling of the 'orderType' parameter. This flaw allows an attacker to inject arbitrary SQL code by manipulating the parameter and the ordering of returned content [2][4].
An attacker can exploit this vulnerability by sending crafted HTTP requests to an affected InLong endpoint that uses the 'orderType' parameter. No authentication is explicitly required, making the attack surface accessible to remote, unauthenticated users. The injection is blind—the attacker extracts the username of the user with ID 1 from the 'user' table one character at a time by observing changes in the response ordering [2][4].
The impact is the ability to extract sensitive information from the database, starting with usernames. This could be extended to other data depending on the database permissions. The Apache Software Foundation has rated this vulnerability as 'important' severity [4].
Mitigation is available by upgrading to Apache InLong 1.6.0, which includes the fix, or by cherry-picking the patch from the referenced GitHub issue [1][2][4]. Users are strongly advised to apply the update immediately.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-pojoMaven | >= 1.4.0, < 1.6.0 | 1.6.0 |
org.apache.inlong:manager-serviceMaven | >= 1.4.0, < 1.6.0 | 1.6.0 |
Affected products
3- ghsa-coords2 versions
>= 1.4.0, < 1.6.0+ 1 more
- (no CPE)range: >= 1.4.0, < 1.6.0
- (no CPE)range: >= 1.4.0, < 1.6.0
- Apache Software Foundation/Apache InLongv5Range: 1.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-cqr6-3x3f-9wr3ghsaADVISORY
- lists.apache.org/thread/mrh4nr3jrlbj6nxkn4q8hddbfh1pnok0ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-30465ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/04/11/2ghsaWEB
- github.com/apache/inlong/issues/7529ghsaWEB
- github.com/apache/inlong/pull/7530ghsaWEB
- inlong.apache.org/zh-CN/download/release-1.6.0ghsaWEB
News mentions
0No linked articles in our index yet.