Apache InLong SQL Injection vulnerability
Moderate severity
GitHub Reviewed
Published
Jul 6, 2023
to the GitHub Advisory Database
•
Updated Jul 6, 2023
Description
Published by the National Vulnerability Database
Apr 11, 2023
Published to the GitHub Advisory Database
Jul 6, 2023
Reviewed
Jul 6, 2023
Last updated
Jul 6, 2023
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.5.0. By manipulating the "orderType" parameter and the ordering of the returned content using an SQL injection attack, an attacker can extract the username of the user with ID 1 from the "user" table, one character at a time. Users are advised to upgrade to Apache InLong's 1.6.0 or cherry-pick PR #7530 to solve it.
References