VYPR
← All advisories
Critical severityNVD Advisory· Published Oct 16, 2023· Updated Sep 16, 2024

Apache InLong: Jdbc Connection Security Bypass in InLong

CVE-2023-43668

Description

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,

some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile"....

.

Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it.

[1]  https://github.com/apache/inlong/pull/8604

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache InLong 1.4.0 to 1.8.0 allows authorization bypass via user-controlled MySQL JDBC URL parameters, enabling attacks like autoDeserialize.

Root

Cause The vulnerability resides in the MySQL JDBC URL parsing logic in Apache InLong's Manager module. The filterSensitive method fails to properly sanitize user-controlled parameters such as "autoDeserialize" and "allowLoadLocalInfile", allowing an attacker to bypass security checks [2].

Exploitation

An authenticated attacker can supply a crafted JDBC URL containing malicious parameters (e.g., autoDeserialize=true) to the system's data source configuration. No special network position is required other than access to the InLong management interface [1].

Impact

Successful exploitation can lead to Remote Code Execution (RCE) via deserialization attacks or local file inclusion through MySQL JDBC driver features. The vulnerability enables arbitrary code execution on the affected InLong server [2].

Mitigation

Apache InLong version 1.9.0 includes a fix that properly filters these sensitive parameters. Users on versions 1.4.0 through 1.8.0 should upgrade immediately or apply the cherry-pick from pull request #8604 [1][4].

References
  1. [INLONG-8603][Manager] Fix the vulnerability to security attacks for the MySQL JDBC URL by fuweng11 · Pull Request #8604 · apache/inlong
  2. NVD - CVE-2023-43668
  3. [INLONG-8603][Manager] Fix the vulnerability to security attacks for … · apache/inlong@46c4e96

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.inlong:manager-pojoMaven
>= 1.4.0, < 1.9.01.9.0

Affected products

2

Patches

1
46c4e96a8483

[INLONG-8603][Manager] Fix the vulnerability to security attacks for the MySQL JDBC URL (#8604)

https://github.com/apache/inlongfuweng11Jul 31, 2023via ghsa
commit
2 files changed · +11 13
  • inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java+2 4 modified
    @@ -245,15 +245,13 @@ public static String filterSensitive(String url) {
                     String key = StringUtils.substringBefore(param, "=");
                     String value = StringUtils.substringAfter(param, "=");
 
-                    if (SENSITIVE_REMOVE_PARAM_MAP.contains(key)) {
+                    if (SENSITIVE_REMOVE_PARAM_MAP.contains(key) || SENSITIVE_REPLACE_PARAM_MAP.containsKey(key)) {
                         continue;
                     }
 
-                    if (SENSITIVE_REPLACE_PARAM_MAP.containsKey(key)) {
-                        value = SENSITIVE_REPLACE_PARAM_MAP.get(key);
-                    }
                     paramList.add(key + "=" + value);
                 }
+                SENSITIVE_REPLACE_PARAM_MAP.forEach((key, value) -> paramList.add(key + "=" + value));
 
                 String params = StringUtils.join(paramList, "&");
                 builder.append(params);
  • inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java+9 9 modified
    @@ -33,24 +33,24 @@ public void testFilterSensitive() throws Exception {
         String originUrl = MySQLSinkDTO.filterSensitive(
                 "jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile = TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true");
         Assertions.assertEquals(
-                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&autoReconnect=true",
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
                 "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize = TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
         Assertions.assertEquals(
-                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
                 "jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile = TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
         Assertions.assertEquals(
-                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
                 originUrl);
         originUrl = MySQLSinkDTO.filterSensitive(
                 "jdbc:mysql://127.0.0.1:3306?autoDeserialize=Yes&allowLoadLocalInfile = Yes&autoReconnect=true&allowUrlInLocalInfile=YEs&allowLoadLocalInfileInPath=/");
         Assertions.assertEquals(
-                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
                 originUrl);
 
         // the sensitive params use url code
@@ -59,37 +59,37 @@ public void testFilterSensitive() throws Exception {
                         "jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile = TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true",
                         "UTF-8"));
         Assertions.assertEquals(
-                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&autoReconnect=true",
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
                 URLEncoder.encode(
                         "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize = TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
                         "UTF-8"));
         Assertions.assertEquals(
-                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
                 URLEncoder.encode(
                         "jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile = TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
                         "UTF-8"));
         Assertions.assertEquals(
-                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
                 URLEncoder.encode(
                         "jdbc:mysql://127.0.0.1:3306?autoDeserialize=Yes&allowLoadLocalInfile = yes&autoReconnect=true&allowUrlInLocalInfile=YES&allowLoadLocalInfileInPath=/",
                         "UTF-8"));
         Assertions.assertEquals(
-                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+                "jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
                 originUrl);
 
         originUrl = MySQLSinkDTO.filterSensitive(
                 "jdbc:mysql://127.0.0.1:3306?autoDeserialize=%59%65%73&allowLoadLocalInfile = yes&allowUrlInLocalInfil%65+=%74%72%75%45&allowLoadLocalInfileInPath=%2F");
         Assertions.assertEquals(
-                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
+                "jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
                 originUrl);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.