VYPR
← All advisories
High severityNVD Advisory· Published Jul 25, 2023· Updated Feb 13, 2025

Apache InLong: JDBC URL bypassing by allowLoadLocalInfileInPath param

CVE-2023-34434

Description

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0.

The attacker could bypass the current logic and achieve arbitrary file reading. To solve it, users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick https://github.com/apache/inlong/pull/8130 .

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache InLong versions 1.4.0 through 1.7.0 contain a deserialization vulnerability that allows an attacker to bypass security filters and achieve arbitrary file reading via a crafted JDBC URL.

Vulnerability

Overview

CVE-2023-34434 is a deserialization of untrusted data vulnerability in Apache InLong, affecting versions 1.4.0 through 1.7.0 [1][4]. The root cause lies in insufficient sanitization of JDBC connection URL parameters. Specifically, the filterSensitive() method in MySQLSinkDTO failed to properly strip dangerous connection properties such as allowLoadLocalInfileInPath, allowing attackers to inject malicious parameters [3].

Exploitation

Method

An attacker with network access to an InLong instance can supply a specially crafted MySQL JDBC URL that includes sensitive parameters like autoDeserialize=true and allowLoadLocalInfile=true. The flawed sanitization logic only checked for the parameter names without validating their values or accounting for URL encoding variations, enabling the attacker to bypass the intended security controls [3][4]. No authentication is required if the attacker can influence a data source configuration.

Impact

Successful exploitation allows an attacker to perform arbitrary file reading on the server hosting the InLong manager component. By enabling the MySQL JDBC driver’s auto-deserialization and local file loading capabilities, the attacker can retrieve sensitive files from the server’s filesystem, potentially leading to further compromise [1][4].

Mitigation

The Apache InLong project has addressed this issue in version 1.8.0. Users unable to upgrade immediately can apply the fix by cherry-picking commit 34835f827771074345f42a9b1658d018f202516e from the official repository [3]. The commit adds proper encoding checks and more robust filtering of JDBC URL parameters [3]. No workaround is available for versions prior to 1.8.0 without applying the patch.

References
  1. NVD - CVE-2023-34434
  2. [INLONG-8129][Manager] Add encoding check to the MySQL JDBC URL (#8130) · apache/inlong@34835f8
  3. security - CVE-2023-34434: Apache InLong: JDBC URL bypassing by allowLoadLocalInfileInPath param

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.inlong:manager-pojoMaven
>= 1.4.0, < 1.8.01.8.0

Affected products

2

Patches

1
34835f827771

[INLONG-8129][Manager] Add encoding check to the MySQL JDBC URL (#8130)

https://github.com/apache/inlongHaoJun 6, 2023via ghsa
commit
2 files changed · +71 21
  • inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java+40 9 modified
    @@ -35,9 +35,12 @@
 import javax.validation.constraints.NotNull;
 
 import java.net.URLDecoder;
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -53,13 +56,19 @@ public class MySQLSinkDTO {
     /**
      * The sensitive param may lead the attack.
      */
-    private static final Map<String, String> SENSITIVE_PARAM_MAP = new HashMap<String, String>() {
+    private static final Map<String, String> SENSITIVE_REPLACE_PARAM_MAP = new HashMap<String, String>() {
 
         {
-            put("autoDeserialize=true", "autoDeserialize=false");
-            put("allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
-            put("allowUrlInLocalInfile=true", "allowUrlInLocalInfile=false");
-            put("allowLoadLocalInfileInPath=/", "allowLoadLocalInfileInPath=");
+            put("autoDeserialize", "false");
+            put("allowLoadLocalInfile", "false");
+            put("allowUrlInLocalInfile", "false");
+        }
+    };
+
+    private static final Set<String> SENSITIVE_REMOVE_PARAM_MAP = new HashSet<String>() {
+
+        {
+            add("allowLoadLocalInfileInPath");
         }
     };
 
@@ -222,18 +231,40 @@ public static String filterSensitive(String url) {
         if (StringUtils.isBlank(url)) {
             return url;
         }
+
         try {
             String resultUrl = url;
             while (resultUrl.contains(InlongConstants.PERCENT)) {
                 resultUrl = URLDecoder.decode(resultUrl, "UTF-8");
             }
             resultUrl = resultUrl.replaceAll(InlongConstants.BLANK, "");
-            for (String sensitiveParam : SENSITIVE_PARAM_MAP.keySet()) {
-                if (StringUtils.containsIgnoreCase(resultUrl, sensitiveParam)) {
-                    resultUrl = StringUtils.replaceIgnoreCase(resultUrl, sensitiveParam,
-                            SENSITIVE_PARAM_MAP.get(sensitiveParam));
+
+            if (resultUrl.contains(InlongConstants.QUESTION_MARK)) {
+                StringBuilder builder = new StringBuilder();
+                builder.append(StringUtils.substringBefore(resultUrl, InlongConstants.QUESTION_MARK));
+                builder.append(InlongConstants.QUESTION_MARK);
+
+                List<String> paramList = new ArrayList<>();
+                String queryString = StringUtils.substringAfter(resultUrl, InlongConstants.QUESTION_MARK);
+                for (String param : queryString.split("&")) {
+                    String key = StringUtils.substringBefore(param, "=");
+                    String value = StringUtils.substringAfter(param, "=");
+
+                    if (SENSITIVE_REMOVE_PARAM_MAP.contains(key)) {
+                        continue;
+                    }
+
+                    if (SENSITIVE_REPLACE_PARAM_MAP.containsKey(key)) {
+                        value = SENSITIVE_REPLACE_PARAM_MAP.get(key);
+                    }
+                    paramList.add(key + "=" + value);
                 }
+
+                String params = StringUtils.join(paramList, "&");
+                builder.append(params);
+                resultUrl = builder.toString();
             }
+
             LOGGER.info("the origin url [{}] was replaced to: [{}]", url, resultUrl);
             return resultUrl;
         } catch (Exception e) {
  • inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java+31 12 modified
    @@ -31,46 +31,65 @@ public class MySQLSinkDTOTest {
     public void testFilterSensitive() throws Exception {
         // the sensitive params no use url code
         String originUrl = MySQLSinkDTO.filterSensitive(
-                "autoDeserialize=TRue&allowLoadLocalInfile = TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true");
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile = TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true");
         Assertions.assertEquals(
-                "autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=&autoReconnect=true",
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&autoReconnect=true",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
-                "autoReconnect=true&autoDeserialize = TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize = TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
         Assertions.assertEquals(
-                "autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
-                "autoDeserialize=TRue&allowLoadLocalInfile = TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile = TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
         Assertions.assertEquals(
-                "autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+                originUrl);
+        originUrl = MySQLSinkDTO.filterSensitive(
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=Yes&allowLoadLocalInfile = Yes&autoReconnect=true&allowUrlInLocalInfile=YEs&allowLoadLocalInfileInPath=/");
+        Assertions.assertEquals(
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
                 originUrl);
 
         // the sensitive params use url code
         originUrl = MySQLSinkDTO.filterSensitive(
                 URLEncoder.encode(
-                        "autoDeserialize=TRue&allowLoadLocalInfile = TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true",
+                        "jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile = TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true",
                         "UTF-8"));
         Assertions.assertEquals(
-                "autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=&autoReconnect=true",
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&autoReconnect=true",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
                 URLEncoder.encode(
-                        "autoReconnect=true&autoDeserialize = TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
+                        "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize = TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
                         "UTF-8"));
         Assertions.assertEquals(
-                "autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
                 URLEncoder.encode(
-                        "autoDeserialize=TRue&allowLoadLocalInfile = TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
+                        "jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile = TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
                         "UTF-8"));
         Assertions.assertEquals(
-                "autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+                originUrl);
+
+        originUrl = MySQLSinkDTO.filterSensitive(
+                URLEncoder.encode(
+                        "jdbc:mysql://127.0.0.1:3306?autoDeserialize=Yes&allowLoadLocalInfile = yes&autoReconnect=true&allowUrlInLocalInfile=YES&allowLoadLocalInfileInPath=/",
+                        "UTF-8"));
+        Assertions.assertEquals(
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+                originUrl);
+
+        originUrl = MySQLSinkDTO.filterSensitive(
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=%59%65%73&allowLoadLocalInfile = yes&allowUrlInLocalInfil%65+=%74%72%75%45&allowLoadLocalInfileInPath=%2F");
+        Assertions.assertEquals(
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
                 originUrl);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.