Login Sign Up

CVE-2023-34434

7.5 HIGH
Authentication Bypass Deserialization

📋 TL;DR

This CVE describes a deserialization vulnerability in Apache InLong that allows attackers to bypass security controls and read arbitrary files. It affects Apache InLong versions 1.4.0 through 1.7.0. Organizations using these versions are vulnerable to unauthorized file access.

💻 Affected Systems

Products:
  • Apache InLong
Versions: 1.4.0 through 1.7.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Inlong by Apache

View all CVEs affecting Inlong →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files, configuration files, or application data, potentially leading to credential theft, data exfiltration, or further system compromise.

🟠

Likely Case

Unauthorized reading of application configuration files, potentially exposing database credentials, API keys, or other sensitive configuration data.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the compromised application's accessible files only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

The vulnerability allows bypassing existing security logic, suggesting exploitation may not require advanced skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.0

Vendor Advisory: https://lists.apache.org/thread/7f1o71w5r732cspltmtdydn01gllf4jo

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download Apache InLong 1.8.0 from official sources. 3. Stop the InLong service. 4. Replace with version 1.8.0. 5. Restart the service. 6. Verify functionality.

🔧 Temporary Workarounds

Cherry-pick security fix

all

Apply the specific security patch from GitHub without upgrading to 1.8.0

git cherry-pick <commit-hash> from https://github.com/apache/inlong/pull/8130

🧯 If You Can't Patch

  • Implement strict network access controls to limit InLong service exposure
  • Deploy web application firewall (WAF) rules to detect and block deserialization attempts

🔍 How to Verify

Check if Vulnerable:

Check the InLong version in application logs or configuration files. If version is between 1.4.0 and 1.7.0 inclusive, the system is vulnerable.

Check Version:

Check application logs or configuration files for version information specific to your deployment method.

Verify Fix Applied:

After patching, verify the version shows 1.8.0 or later, and test that the deserialization endpoint no longer accepts malicious payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns from InLong processes
  • Deserialization errors or warnings in application logs
  • Requests to file reading endpoints with unusual parameters

Network Indicators:

  • Unusual outbound file transfers from InLong servers
  • Patterns of requests attempting to bypass deserialization controls

SIEM Query:

source="inlong.logs" AND (deserialization OR file_read OR path_traversal)

📊 Metadata

CVE ID: CVE-2023-34434
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-502
Published: July 25, 2023
Last Updated: February 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34434, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)