Apache InLong: Remote Code Execution vulnerability in Apache InLong Manager
Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.9.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/9329
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong Manager versions 1.5.0 to 1.9.0 contain a code injection vulnerability allowing unauthenticated remote code execution.
Vulnerability
Overview
CVE-2023-51784 is a code injection vulnerability in the Apache InLong Manager component. The issue stems from improper control over code generation in the updateAuditSource method, which fails to validate user-supplied parameters before they are interpreted as executable code. [1][4] This allows an attacker to inject arbitrary code that the backend processes, leading to remote code execution (RCE). [2]
Exploitation
An attacker can exploit this flaw without authentication by sending a crafted HTTP request to the vulnerable endpoint in the Manager module. The attack does not require any special network position beyond reachability of the InLong Manager service. [4] The lack of input validation in the parameter handling means the attacker can achieve direct code injection by controlling the input to the affected method. [1]
Impact
If successfully exploited, an attacker can execute arbitrary commands on the server running Apache InLong Manager. Given that the InLong Manager manages data ingestion, synchronization, and subscription pipelines, this could allow an attacker to compromise pipeline configurations, exfiltrate sensitive data, or pivot to other systems within the network. [3][4]
Mitigation
The vulnerability affects all Apache InLong versions from 1.5.0 through 1.9.0. Users should upgrade to version 1.10.0 or apply the fix from the referenced pull request (cherry-pick commit #9329). [1][2][4] No other workarounds have been published, and the project has not listed this CVE in the KEV catalog at the time of disclosure.
- [INLONG-9328][Manager] Add parameters validation for the updateAuditSource method by hnrainll · Pull Request #9329 · apache/inlong
- NVD - CVE-2023-51784
- GitHub - apache/inlong: Apache InLong - a one-stop, full-scenario integration framework for massive data
- security - CVE-2023-51784: Apache InLong: Remote Code Execution vulnerability in Apache InLong Manager
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-pojoMaven | >= 1.5.0, < 1.10.0 | 1.10.0 |
Affected products
2- Apache Software Foundation/Apache InLongv5Range: 1.5.0
Patches
11607837be284[INLONG-9328][Manager] Add parameters validation for the updateAuditSource method (#9329)
2 files changed · +3 −1
inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/audit/AuditSourceRequest.java+2 −0 modified@@ -25,6 +25,7 @@ import lombok.NoArgsConstructor; import javax.validation.constraints.NotBlank; +import javax.validation.constraints.Pattern; /** * Audit source request @@ -45,6 +46,7 @@ public class AuditSourceRequest { private String type; @NotBlank + @Pattern(regexp = "^(jdbc:(mysql|clickhouse)://[\\w.]+(:\\d+)?/[\\w]+(\\?.*)?|http://[\\w.]+(:\\d+)?(/[\\w]+)+(/\\d+(-\\d+)?(,\\d+(-\\d+)?)*)?)", message = "only supports MYSQL, CLICKHOUSE, ELASTICSEARCH url") @ApiModelProperty(value = "Audit source URL, for MYSQL or CLICKHOUSE, is jdbcUrl, and for ELASTICSEARCH is the access URL with hostname:port", required = true) private String url;
inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/controller/AuditController.java+1 −1 modified@@ -65,7 +65,7 @@ public Response<Boolean> refreshCache() { @ApiOperation(value = "Update the audit source") @PostMapping(value = "/audit/updateSource") - public Response<Integer> updateAuditSource(@RequestBody AuditSourceRequest request) { + public Response<Integer> updateAuditSource(@Valid @RequestBody AuditSourceRequest request) { return Response.success(auditService.updateAuditSource(request, LoginUserUtils.getLoginUser().getName())); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-9xg9-hh45-xcm6ghsaADVISORY
- lists.apache.org/thread/4nxbyl6mh5jgh0plk0qposbxwn6w9h8jghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-51784ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/01/03/1ghsaWEB
- github.com/apache/inlong/commit/1607837be28438c0ccae8da15afb653f2afed090ghsaWEB
- github.com/apache/inlong/pull/9329ghsaWEB
News mentions
0No linked articles in our index yet.