Platform
java
Component
org.apache.inlong:tubemq-core
Fixed in
1.12.1
1.13.0
CVE-2024-36268 describes a Code Injection vulnerability within Apache InLong, potentially leading to Remote Code Execution. This flaw impacts versions 1.10.0 through 1.12.0. A fix is available in version 1.13.0, and users are strongly encouraged to upgrade immediately.
The Code Injection vulnerability in Apache InLong allows an attacker to inject malicious code into the system. Successful exploitation could lead to complete system compromise, including data exfiltration, modification, and denial of service. The attacker could potentially gain control of the InLong cluster and leverage it for further attacks within the network. While no specific real-world exploits have been publicly linked to this vulnerability yet, the potential for RCE makes it a high-priority concern, especially given the complexity of distributed messaging systems like InLong.
CVE-2024-36268 was publicly disclosed on August 2, 2024. Its severity is rated HIGH with a CVSS score of 7.6. There are currently no known active campaigns exploiting this vulnerability, but the availability of a public proof-of-concept could change this rapidly. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
6.79% (91% percentile)
CVSS Vector
The primary mitigation for CVE-2024-36268 is to upgrade Apache InLong to version 1.13.0 or later. If immediate upgrading is not feasible, a temporary workaround involves rigorous code review of any user-supplied input to InLong, ensuring proper sanitization and validation to prevent code injection. Implementing strict input validation rules and limiting user privileges can also reduce the attack surface. Monitor InLong logs for any unusual activity or suspicious code execution attempts. The fix is available in the official GitHub pull request: https://github.com/apache/inlong/pull/10251. After upgrading, confirm the fix by attempting to trigger the vulnerable code path with malicious input and verifying that it is properly sanitized.
Actualice Apache InLong a la versión 1.13.0 o aplique el parche proporcionado en https://github.com/apache/inlong/pull/10251. Esto corrige la vulnerabilidad de inyección de código que permite la ejecución remota de código. Se recomienda actualizar lo antes posible para evitar posibles ataques.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-36268 is a Code Injection vulnerability affecting Apache InLong versions 1.10.0 through 1.12.0, allowing potential Remote Code Execution.
If you are using Apache InLong versions 1.10.0 to 1.12.0, you are potentially affected by this vulnerability. Upgrade to 1.13.0 or later to mitigate the risk.
The recommended fix is to upgrade Apache InLong to version 1.13.0 or later. As a temporary workaround, implement strict input validation and code review.
Currently, there are no confirmed reports of active exploitation, but the availability of a public proof-of-concept increases the risk.
Refer to the Apache InLong GitHub repository for updates and advisories: https://github.com/apache/inlong
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.