CVE-2023-35088 — SQL injection in audit endpoint

Description

Improper Neutralization of Special Elements Used in an SQL Command ('SQL Injection') vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.7.0. In the toAuditCkSql method, the groupId, streamId, auditId, and dt are directly concatenated into the SQL query statement, which may lead to SQL injection attacks. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8198

How to fix CVE-2023-35088

To remediate CVE-2023-35088, upgrade the affected package to a fixed version below.

—upgrade to 1.8.0 or later

Is CVE-2023-35088 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.4.0, < 1.8.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-35088
PATCHgithub.com/apache/inlong
WEBseclists.org/fulldisclosure/2023/Jul/43
WEBgithub.com/apache/inlong/commit/cab63a8eea6c0f4bf3d30ce245b7e1beee42504d
WEB