raboof commented on PR #8628: URL: https://github.com/apache/inlong/pull/8628#issuecomment-2379103451
Apologies, the description of this CVE was somewhat misleading: there was never an SQL Injection problem here, but instead a Log injection problem. This was correctly marked as such in the CVE title (https://www.cve.org/CVERecord?id=CVE-2023-43667), but unfortunately not in the problem type as found in the CWE classification and in the description body. To make matters worse, the NVD ignores the CVE title, making the NVD/GitHub Advisories representation of the advisory even more confusing. It seems plausible that this indeed resolves the log injection issue. Do you have any reason to think otherwise? If you believe you have found an undisclosed security issue with Inlong, we'd appreciate it if you could share it through our private reporting process, https://apache.org/security/ I have updated the CWE classification and the description of the advisory. Hopefully this will trickle down into the NVD and GitHub Advisories databases with time. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@inlong.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
