Apache InLong: Log Injection in Global functions
Description
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false log records, making it harder to audit and trace malicious activities. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/8628
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An injection vulnerability in Apache InLong 1.4.0 to 1.8.0 allows attackers to produce misleading log entries, hindering audit and forensic activities.
Root
Cause CVE-2023-43667 is an injection vulnerability in Apache InLong, affecting versions 1.4.0 through 1.8.0. The flaw stems from improper neutralization of special elements in output used by a downstream component. This enables an attacker to inject crafted data into log records, effectively creating false or misleading log entries [1].
Attack
Vector The vulnerability can be exploited by an attacker who can supply input that is processed and eventually written to logs. Since the input is not properly sanitized, the attacker can embed special characters or formatting that alters the intended log output. The exact preconditions (e.g., authentication requirements or network position) are not detailed in the public sources, but the issue lies in the log4j2 configuration, specifically the PatternLayout [3].
Impact
By injecting false log records, an attacker can obscure their malicious activities, making it difficult for defenders to audit and trace what actually happened. This undermines the integrity of the logging system and can delay incident detection and response [1].
Mitigation
The Apache InLong project has addressed this issue in version 1.9.0. Users who cannot upgrade immediately can apply the fix by cherry-picking the commit from pull request #8628 [1][3]. The fix adds parameter validation for the testConnection method, which likely prevents the injection path [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:inlongMaven | >= 1.4.0, < 1.8.0 | 1.8.0 |
Affected products
3- Range: 1.4.0
Patches
19d44b257c3fc[INLONG-8627][Manager] Add parameters validation for the testConnection method (#8628)
2 files changed · +2 −2
inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/controller/DataNodeController.java+1 −1 modified@@ -130,7 +130,7 @@ public Response<Boolean> deleteByKey(@RequestParam String name, @RequestParam St @PostMapping("/node/testConnection") @ApiOperation(value = "Test connection for data node") - public Response<Boolean> testConnection(@RequestBody DataNodeRequest request) { + public Response<Boolean> testConnection(@Validated @RequestBody DataNodeRequest request) { return Response.success(dataNodeService.testConnection(request)); }
inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/controller/InlongClusterController.java+1 −1 modified@@ -285,7 +285,7 @@ public Response<Boolean> deleteNode(@PathVariable Integer id) { @PostMapping("/cluster/testConnection") @ApiOperation(value = "Test connection for inlong cluster") - public Response<Boolean> testConnection(@RequestBody ClusterRequest request) { + public Response<Boolean> testConnection(@Validated @RequestBody ClusterRequest request) { return Response.success(clusterService.testConnection(request)); } }
Vulnerability mechanics
Root cause
"Missing `@Validated` annotation on controller method parameters allows unvalidated input to reach downstream components, enabling injection attacks."
Attack vector
An attacker sends a crafted POST request to either `/node/testConnection` or `/cluster/testConnection` with a malicious payload in the request body. Because the `@Validated` annotation was missing, the framework did not enforce constraints (such as `@NotBlank`, `@Size`, or pattern validators) on the fields of `DataNodeRequest` or `ClusterRequest`. This allows injection of special characters or SQL fragments into fields that are later used to construct log records or database queries, enabling log injection or SQL injection [CWE-74] [CWE-89]. No authentication is required if the endpoint is publicly exposed.
Affected code
The vulnerability affects the `testConnection` methods in `DataNodeController.java` and `InlongClusterController.java`. Both endpoints accepted `@RequestBody` parameters without the `@Validated` annotation, meaning no input validation was performed on the incoming request objects before they were processed by the downstream service layer.
What the fix does
The patch adds the `@Validated` annotation to the `@RequestBody` parameter in both `testConnection` methods [patch_id=1640587]. This annotation activates Jakarta Bean Validation constraints (such as `@NotBlank`, `@Pattern`, `@Size`) declared on the fields of `DataNodeRequest` and `ClusterRequest`. By enforcing validation before the request reaches the service layer, the fix prevents malformed or malicious input from being passed to downstream components that construct log entries or SQL queries, thereby closing the injection vector.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the /node/testConnection or /cluster/testConnection endpoints
- configThe application must be running Apache InLong version 1.4.0 through 1.8.0
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-fpcf-qr79-hjqpghsaADVISORY
- lists.apache.org/thread/spnb378g268p1f902fr9kqyph2k8n543ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-43667ghsaADVISORY
- github.com/apache/inlong/pull/8628ghsaWEB
News mentions
0No linked articles in our index yet.