Critical severityNVD Advisory· Published Jul 25, 2023· Updated Feb 13, 2025

Apache InLong: SQL injection in audit endpoint

CVE-2023-35088

Description

Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it.

[1] https://github.com/apache/inlong/pull/8198

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache InLong 1.4.0 through 1.7.0 is vulnerable to SQL injection in the toAuditCkSql method via direct concatenation of parameters.

Vulnerability

Analysis

CVE-2023-35088 is a SQL injection vulnerability in Apache InLong, a one-stop data integration framework [3]. The flaw exists in the toAuditCkSql method, where the groupId, streamId, auditId, and dt parameters are directly concatenated into a SQL query statement without proper neutralization [1][2]. This allows an attacker to inject malicious SQL commands through these parameters.

Exploitation

An attacker can exploit this vulnerability by crafting specially input values for any of the concatenated parameters (groupId, streamId, auditId, dt) when calling the affected audit interface. The attack requires network access to the ClickHouse query endpoint [2]. As the parameters are used directly in string concatenation, no authentication is explicitly required to reach the vulnerable code path, though in practice access controls may limit exposure.

Impact

Successful exploitation could allow an attacker to execute arbitrary SQL commands against the ClickHouse database backend. This could lead to unauthorized reading, modification, or deletion of audit data and potentially other database contents, compromising the confidentiality and integrity of the InLong system's audit information [2].

Mitigation

Apache has addressed this vulnerability in InLong version 1.8.0. Users on versions 1.4.0 through 1.7.0 are advised to upgrade immediately or apply the fix by cherry-picking commit cab63a8eea6c0f4bf3d30ce245b7e1beee42504d, which replaces the vulnerable Statement with a parameterized PreparedStatement to prevent SQL injection [1][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.inlong:manager-serviceMaven	>= 1.4.0, < 1.8.0	1.8.0

Affected products

ghsa-coords
pkg:maven/org.apache.inlong/manager-service
Range: >= 1.4.0, < 1.8.0
Apache Software Foundation/Apache InLongv5
Range: 1.4.0

Patches

cab63a8eea6c

[INLONG-8197][Manager] Optimize the ClickHouse query for the Audit interface (#8198)

https://github.com/apache/inlongHaoJun 12, 2023via ghsa

commit

1 file changed · +25 −11

inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/core/impl/AuditServiceImpl.java+25 −11 modified

@@ -67,8 +67,9 @@
 
 import java.math.BigDecimal;
 import java.sql.Connection;
+import java.sql.PreparedStatement;
 import java.sql.ResultSet;
-import java.sql.Statement;
+import java.sql.SQLException;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Date;
@@ -239,9 +240,9 @@ public List<AuditVO> listByCondition(AuditRequest request) throws Exception {
                 }
             } else if (AuditQuerySource.CLICKHOUSE == querySource) {
                 try (Connection connection = ClickHouseConfig.getCkConnection();
-                        Statement statement = connection.createStatement();
-                        ResultSet resultSet = statement.executeQuery(
-                                toAuditCkSql(groupId, streamId, auditId, request.getDt()))) {
+                        PreparedStatement statement =
+                                getAuditCkStatement(connection, groupId, streamId, auditId, request.getDt());
+                        ResultSet resultSet = statement.executeQuery()) {
                     List<AuditInfo> auditSet = new ArrayList<>();
                     while (resultSet.next()) {
                         AuditInfo vo = new AuditInfo();
@@ -308,28 +309,41 @@ private SearchRequest toAuditSearchRequest(String index, String groupId, String
     }
 
     /**
-     * Convert to clickhouse search sql
+     * Get clickhouse Statement
      *
+     * @param connection The ClickHouse connection
      * @param groupId The groupId of inlong
      * @param streamId The streamId of inlong
      * @param auditId The auditId of request
      * @param dt The datetime of request
-     * @return clickhouse sql
+     * @return The clickhouse Statement
      */
-    private String toAuditCkSql(String groupId, String streamId, String auditId, String dt) {
+    private PreparedStatement getAuditCkStatement(Connection connection, String groupId, String streamId,
+            String auditId, String dt) throws SQLException {
         DateTimeFormatter formatter = DateTimeFormat.forPattern(DAY_FORMAT);
         DateTime date = formatter.parseDateTime(dt);
         String startDate = date.toString(SECOND_FORMAT);
         String endDate = date.plusDays(1).toString(SECOND_FORMAT);
-        return new SQL()
+
+        String sql = new SQL()
                 .SELECT("log_ts", "sum(count) as total")
                 .FROM("audit_data")
-                .WHERE("inlong_group_id = '" + groupId + "'", "inlong_stream_id = '" + streamId + "'",
-                        "audit_id = '" + auditId + "'")
-                .WHERE("log_ts >= '" + startDate + "'", "log_ts < '" + endDate + "'")
+                .WHERE("inlong_group_id = ?")
+                .WHERE("inlong_stream_id = ?")
+                .WHERE("audit_id = ?")
+                .WHERE("log_ts >= ?")
+                .WHERE("log_ts < ?")
                 .GROUP_BY("log_ts")
                 .ORDER_BY("log_ts")
                 .toString();
+
+        PreparedStatement statement = connection.prepareStatement(sql);
+        statement.setString(1, groupId);
+        statement.setString(2, streamId);
+        statement.setString(3, auditId);
+        statement.setString(4, startDate);
+        statement.setString(5, endDate);
+        return statement;
     }
 
     /**

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r5pv-7g89-cxmcghsaADVISORY
lists.apache.org/thread/os7b66x4n8dbtrdpb7c6x37bb1vjb0tkghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-35088ghsaADVISORY
seclists.org/fulldisclosure/2023/Jul/43ghsaWEB
www.openwall.com/lists/oss-security/2023/07/25/4ghsaWEB
github.com/apache/inlong/commit/cab63a8eea6c0f4bf3d30ce245b7e1beee42504dghsaWEB
github.com/apache/inlong/pull/8198ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000