Apache InLong: JDBC URL bypassing by adding blanks
Description
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers would bypass the 'autoDeserialize' option filtering by adding blanks. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick
https://github.com/apache/inlong/pull/7674 https://github.com/apache/inlong/pull/7674 to solve it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong deserialization vulnerability allows attackers to bypass 'autoDeserialize' filtering by adding blanks, leading to remote code execution.
Vulnerability
Description
CVE-2023-31058 is a deserialization of untrusted data vulnerability in Apache InLong versions 1.4.0 through 1.6.0 [1]. The root cause is that the 'autoDeserialize' option filter can be bypassed by inserting blanks into the serialized data, allowing an attacker to inject malicious objects that will be deserialized by the application [1]. This affects the core functionality of Apache InLong, a one-stop integration framework for massive data [2].
Exploitation
An attacker can exploit this vulnerability by crafting a serialized payload that includes blanks to evade the filtering mechanism [1]. This payload can be delivered via JDBC URL or other data inputs that are deserialized by the Manager module. No authentication is required for exploitation, as the vulnerability can be triggered by simply sending a specially crafted request to the affected service [1].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the server, potentially leading to full system compromise. This includes unauthorized access to sensitive data, disruption of services, and lateral movement within the network [1].
Mitigation
The issue has been fixed in Apache InLong version 1.7.0 [1]. Users are advised to upgrade to this version or apply the patch from pull request #7674 [3], which removes whitespace from the URL before validation [3]. There are no known workarounds for this vulnerability [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-pojoMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-commonMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
Affected products
3- ghsa-coords2 versions
>= 1.4.0, < 1.7.0+ 1 more
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- Apache Software Foundation/Apache InLongv5Range: 1.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-c3rh-f2w5-fghmghsaADVISORY
- lists.apache.org/thread/bkcgbn9l61croxfyspf7xd42qb189s3zghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-31058ghsaADVISORY
- github.com/apache/inlong/pull/7674ghsaWEB
News mentions
0No linked articles in our index yet.