{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-27528","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2025-02-27T07:32:40.617Z","datePublished":"2025-05-28T08:12:27.609Z","dateUpdated":"2025-05-28T13:20:49.864Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache InLong","vendor":"Apache Software Foundation","versions":[{"lessThanOrEqual":"2.1.0","status":"affected","version":"1.13.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"yulat"},{"lang":"en","type":"finder","value":"m4x"},{"lang":"en","type":"finder","value":"h3h3qaq"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Deserialization of Untrusted Data vulnerability in Apache InLong.</p><p>This issue affects Apache InLong: from 1.13.0 through 2.1.0. \n\n<span style=\"background-color: rgb(255, 255, 255);\">This\nvulnerability allows attackers to bypass the security mechanisms of InLong\nJDBC and leads to arbitrary file reading.&nbsp;</span><span style=\"background-color: var(--wht);\">Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it.</span></p><p><span style=\"background-color: rgb(255, 255, 255);\">[1] <a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/inlong/pull/11747\">https://github.com/apache/inlong/pull/11747</a></span></p><p></p>"}],"value":"Deserialization of Untrusted Data vulnerability in Apache InLong.\n\nThis issue affects Apache InLong: from 1.13.0 through 2.1.0. \n\nThis\nvulnerability allows attackers to bypass the security mechanisms of InLong\nJDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it.\n\n[1]  https://github.com/apache/inlong/pull/11747"}],"metrics":[{"other":{"content":{"text":"moderate"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-502","description":"CWE-502 Deserialization of Untrusted Data","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2025-05-28T08:12:27.609Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/b807rqzgyv4qgvxw3nhkq8tl6g90gqgj"},{"tags":["patch"],"url":"https://github.com/apache/inlong/pull/11747"}],"source":{"discovery":"UNKNOWN"},"title":"Apache InLong: JDBC Vulnerability for Invisible Character Bypass Leading to Arbitrary File Read","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2025/05/28/3"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-05-28T09:04:24.174Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.1,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"NONE","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-05-28T13:20:18.115387Z","id":"CVE-2025-27528","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-28T13:20:49.864Z"}}]}}