Apache InLong: Arbitrary File Read Vulnerability in Apache InLong Manager
Description
Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.9.0, the attackers can make a arbitrary file read attack using mysql driver. Users are advised to upgrade to Apache InLong's 1.10.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/9331
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong versions 1.7.0 through 1.9.0 are vulnerable to arbitrary file read via deserialization in the StarRocks JDBC URL handling.
Vulnerability
The vulnerability is a deserialization of untrusted data in Apache InLong, specifically affecting versions 1.7.0 through 1.9.0. The issue lies in how the InLong Manager processes JDBC URLs for StarRocks (and potentially other MySQL-compatible databases). The MySQL JDBC driver supports certain connection parameters that can lead to remote file inclusion when deserialized without proper validation [1][2].
Exploitation
An attacker with network access to the InLong Manager service can craft a malicious JDBC URL that includes dangerous parameters such as autoDeserialize, allowLoadLocalInfile, or allowUrlInLocalInfile. When the Manager processes this URL, it triggers deserialization of untrusted data, allowing the attacker to read arbitrary files from the server filesystem [4]. No authentication is mentioned as a prerequisite in the published information, meaning the attack surface may include unauthenticated or low-privileged users who can influence JDBC connection strings.
Impact
Successful exploitation enables an attacker to read arbitrary files on the InLong server, which could include configuration files containing credentials, sensitive business data, or other confidential information. This is a high-severity issue as it compromises the confidentiality of the affected system [2].
Mitigation
The vulnerability is fixed in Apache InLong version 1.10.0. Users unable to upgrade immediately can apply the patch from commit d674bfe28416aff728eabafc1f6b8bb9ba5a5b8e, which adds encoding checks and filters sensitive JDBC URL parameters [1][4]. The patch introduces a utility class MySQLSensitiveUrlUtils that replaces dangerous parameters like autoDeserialize with false and removes allowLoadLocalInfileInPath [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-pojoMaven | >= 1.5.0, < 1.10.0 | 1.10.0 |
Affected products
2- Apache Software Foundation/Apache InLongv5Range: 1.7.0
Patches
1d674bfe28416[INLONG-9330][Manager] Add encoding check to the StarRocks JDBC URL (#9331)
4 files changed · +116 −72
inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/node/starrocks/StarRocksDataNodeDTO.java+8 −0 modified@@ -21,6 +21,7 @@ import org.apache.inlong.manager.common.exceptions.BusinessException; import org.apache.inlong.manager.common.util.CommonBeanUtils; import org.apache.inlong.manager.common.util.JsonUtils; +import org.apache.inlong.manager.pojo.util.MySQLSensitiveUrlUtils; import io.swagger.annotations.ApiModel; import io.swagger.annotations.ApiModelProperty; @@ -67,4 +68,11 @@ public static StarRocksDataNodeDTO getFromJson(@NotNull String extParams) { } } + /** + * Convert ip:post to jdbcurl. + */ + public static String convertToJdbcUrl(String url) { + return MySQLSensitiveUrlUtils.filterSensitive(url); + } + }
inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java+2 −71 modified@@ -22,6 +22,7 @@ import org.apache.inlong.manager.common.exceptions.BusinessException; import org.apache.inlong.manager.common.util.CommonBeanUtils; import org.apache.inlong.manager.common.util.JsonUtils; +import org.apache.inlong.manager.pojo.util.MySQLSensitiveUrlUtils; import com.google.common.base.Strings; import io.swagger.annotations.ApiModelProperty; @@ -35,13 +36,8 @@ import javax.validation.constraints.NotNull; -import java.net.URLDecoder; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; -import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -54,25 +50,6 @@ @AllArgsConstructor public class MySQLSinkDTO { - /** - * The sensitive param may lead the attack. - */ - private static final Map<String, String> SENSITIVE_REPLACE_PARAM_MAP = new HashMap<String, String>() { - - { - put("autoDeserialize", "false"); - put("allowLoadLocalInfile", "false"); - put("allowUrlInLocalInfile", "false"); - } - }; - - private static final Set<String> SENSITIVE_REMOVE_PARAM_MAP = new HashSet<String>() { - - { - add("allowLoadLocalInfileInPath"); - } - }; - private static final Logger LOGGER = LoggerFactory.getLogger(MySQLSinkDTO.class); private static final String MYSQL_JDBC_PREFIX = "jdbc:mysql://"; @@ -216,54 +193,8 @@ public static String setDbNameToUrl(String jdbcUrl, String databaseName) { return resultUrl.toString(); } - /** - * Filter the sensitive params for the given URL. - * - * @param url str may have some sensitive params - * @return str without sensitive param - */ public static String filterSensitive(String url) { - if (StringUtils.isBlank(url)) { - return url; - } - - try { - String resultUrl = url; - while (resultUrl.contains(InlongConstants.PERCENT)) { - resultUrl = URLDecoder.decode(resultUrl, "UTF-8"); - } - resultUrl = resultUrl.replaceAll(InlongConstants.REGEX_WHITESPACE, InlongConstants.EMPTY); - - if (resultUrl.contains(InlongConstants.QUESTION_MARK)) { - StringBuilder builder = new StringBuilder(); - builder.append(StringUtils.substringBefore(resultUrl, InlongConstants.QUESTION_MARK)); - builder.append(InlongConstants.QUESTION_MARK); - - List<String> paramList = new ArrayList<>(); - String queryString = StringUtils.substringAfter(resultUrl, InlongConstants.QUESTION_MARK); - for (String param : queryString.split(InlongConstants.AMPERSAND)) { - String key = StringUtils.substringBefore(param, InlongConstants.EQUAL); - String value = StringUtils.substringAfter(param, InlongConstants.EQUAL); - - if (SENSITIVE_REMOVE_PARAM_MAP.contains(key) || SENSITIVE_REPLACE_PARAM_MAP.containsKey(key)) { - continue; - } - - paramList.add(key + InlongConstants.EQUAL + value); - } - SENSITIVE_REPLACE_PARAM_MAP.forEach((key, value) -> paramList.add(key + InlongConstants.EQUAL + value)); - - String params = StringUtils.join(paramList, InlongConstants.AMPERSAND); - builder.append(params); - resultUrl = builder.toString(); - } - - LOGGER.info("the origin url [{}] was replaced to: [{}]", url, resultUrl); - return resultUrl; - } catch (Exception e) { - throw new BusinessException(ErrorCodeEnum.SINK_INFO_INCORRECT, - ErrorCodeEnum.SINK_INFO_INCORRECT.getMessage() + ": " + e.getMessage()); - } + return MySQLSensitiveUrlUtils.filterSensitive(url); } }
inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/util/MySQLSensitiveUrlUtils.java+105 −0 added@@ -0,0 +1,105 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.inlong.manager.pojo.util; + +import org.apache.inlong.manager.common.consts.InlongConstants; +import org.apache.inlong.manager.common.exceptions.BaseException; + +import lombok.extern.slf4j.Slf4j; +import org.apache.commons.lang3.StringUtils; + +import java.net.URLDecoder; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Set; + +@Slf4j +public class MySQLSensitiveUrlUtils { + + /** + * The sensitive param may lead the attack. + */ + private static final Map<String, String> SENSITIVE_REPLACE_PARAM_MAP = new HashMap<String, String>() { + + { + put("autoDeserialize", "false"); + put("allowLoadLocalInfile", "false"); + put("allowUrlInLocalInfile", "false"); + } + }; + + private static final Set<String> SENSITIVE_REMOVE_PARAM_MAP = new HashSet<String>() { + + { + add("allowLoadLocalInfileInPath"); + } + }; + + /** + * Filter the sensitive params for the given URL. + * + * @param url str may have some sensitive params + * @return str without sensitive param + */ + public static String filterSensitive(String url) { + if (StringUtils.isBlank(url)) { + return url; + } + + try { + String resultUrl = url; + while (resultUrl.contains(InlongConstants.PERCENT)) { + resultUrl = URLDecoder.decode(resultUrl, "UTF-8"); + } + resultUrl = resultUrl.replaceAll(InlongConstants.REGEX_WHITESPACE, InlongConstants.EMPTY); + + if (resultUrl.contains(InlongConstants.QUESTION_MARK)) { + StringBuilder builder = new StringBuilder(); + builder.append(StringUtils.substringBefore(resultUrl, InlongConstants.QUESTION_MARK)); + builder.append(InlongConstants.QUESTION_MARK); + + List<String> paramList = new ArrayList<>(); + String queryString = StringUtils.substringAfter(resultUrl, InlongConstants.QUESTION_MARK); + for (String param : queryString.split(InlongConstants.AMPERSAND)) { + String key = StringUtils.substringBefore(param, InlongConstants.EQUAL); + String value = StringUtils.substringAfter(param, InlongConstants.EQUAL); + + if (SENSITIVE_REMOVE_PARAM_MAP.contains(key) || SENSITIVE_REPLACE_PARAM_MAP.containsKey(key)) { + continue; + } + + paramList.add(key + InlongConstants.EQUAL + value); + } + SENSITIVE_REPLACE_PARAM_MAP.forEach((key, value) -> paramList.add(key + InlongConstants.EQUAL + value)); + + String params = StringUtils.join(paramList, InlongConstants.AMPERSAND); + builder.append(params); + resultUrl = builder.toString(); + } + + log.info("MySQL original URL {} was replaced to {}", url, resultUrl); + return resultUrl; + } catch (Exception e) { + throw new BaseException(String.format("Failed to filter MySQL sensitive URL: %s, error: %s", + url, e.getMessage())); + } + } +}
inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/node/starrocks/StarRocksDataNodeOperator.java+1 −1 modified@@ -88,7 +88,7 @@ protected void setTargetEntity(DataNodeRequest request, DataNodeEntity targetEnt @Override public Boolean testConnection(DataNodeRequest request) { - String jdbcUrl = request.getUrl(); + String jdbcUrl = StarRocksDataNodeDTO.convertToJdbcUrl(request.getUrl()); String username = request.getUsername(); String password = request.getToken(); Preconditions.expectNotBlank(jdbcUrl, ErrorCodeEnum.INVALID_PARAMETER, "connection jdbcUrl cannot be empty");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-crwj-2r3c-gx2gghsaADVISORY
- lists.apache.org/thread/g0yjmtjqvp8bnf1j0tdsk0nhfozjdjnoghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-51785ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/01/03/2ghsaWEB
- github.com/apache/inlong/commit/d674bfe28416aff728eabafc1f6b8bb9ba5a5b8eghsaWEB
- github.com/apache/inlong/pull/9331ghsaWEB
News mentions
0No linked articles in our index yet.