CVE-2022-40955

CVE-2022-40955: Deserialization attack in Apache InLong prior to version 1.3.0 allows RCE via JDBC

Vendor Apache Software Foundation

Product Apache InLong

Weakness CWE-502 · Unsafe deserialization

Published September 20, 2022

Last update May 29, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.

Key dates

Disclosure timeline

September 20, 2022 CVE published

May 29, 2025 Record updated