Apache inlong has an Arbitrary File Read Vulnerability
Description
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.
This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can use \t to bypass. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/8814
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong 1.4.0 to 1.8.0 is vulnerable to deserialization of untrusted data; the attacker can bypass filters using tab characters.
Root
Cause
CVE-2023-46227 is a Deserialization of Untrusted Data vulnerability in Apache InLong, a one-stop integration framework for massive data [3]. The flaw exists in the component that handles MySQL JDBC URLs. By injecting a tab character (\t) into the URL, an attacker can bypass the input validation or filtering that was intended to block malicious serialized data, leading to unsafe deserialization [1].
Attack
Vector and Exploitation The vulnerability affects Apache InLong versions 1.4.0 through 1.8.0. An attacker requires network access to the InLong Manager service endpoint that processes JDBC connection strings. No prior authentication is mentioned as a prerequisite, making the attack surface relatively wide. The exploitation leverages the tab character to escape the intended sanitization checks, enabling the delivery of a crafted serialized payload [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code or perform other malicious actions on the server, depending on the deserialized object's capabilities. This can lead to full compromise of the InLong instance, including data exfiltration, service disruption, or lateral movement within the environment.
Mitigation
The Apache InLong project has released version 1.9.0, which contains the fix [1]. Users unable to upgrade immediately can apply the cherry-pick commit from pull request #8814 [1]. No workaround other than patching is provided. It is recommended to upgrade as soon as possible.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-commonMaven | >= 1.4.0, < 1.9.0 | 1.9.0 |
org.apache.inlong:manager-pojoMaven | >= 1.4.0, < 1.9.0 | 1.9.0 |
Affected products
3- ghsa-coords2 versions
>= 1.4.0, < 1.9.0+ 1 more
- (no CPE)range: >= 1.4.0, < 1.9.0
- (no CPE)range: >= 1.4.0, < 1.9.0
- Apache Software Foundation/Apache InLongv5Range: 1.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jj32-3pf5-5mv5ghsaADVISORY
- lists.apache.org/thread/m8txor4f76tmrxksrmc87tw42g57nz33ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-46227ghsaADVISORY
- github.com/apache/inlong/pull/8814ghsaWEB
News mentions
0No linked articles in our index yet.