CVE-2023-35088: 
Java vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2023-35088) was discovered in Apache InLong versions 1.4.0 through 1.7.0. The vulnerability exists in the toAuditCkSql method, where parameters groupId, streamId, auditId, and dt are directly concatenated into SQL query statements without proper sanitization (NVD, OSS-Security).

The vulnerability is classified as an Improper Neutralization of Special Elements Used in an SQL Command (SQL Injection) with a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue stems from the direct concatenation of user-controllable parameters (groupId, streamId, auditId, and dt) into SQL query statements in the toAuditCkSql method, making it susceptible to SQL injection attacks (NVD).

Given the CVSS score of 9.8, this vulnerability has critical severity with potential for high impact on confidentiality, integrity, and availability of the affected systems. The SQL injection vulnerability could allow attackers to manipulate database queries, potentially leading to unauthorized access, data manipulation, or exposure of sensitive information (NVD).

Users are advised to upgrade to Apache InLong version 1.8.0 or apply the fix by cherry-picking the patch from the provided pull request. The fix is available at https://github.com/apache/inlong/pull/8198 (Apache-Advisory).