CVE-2022-39944

2022-10-2616:15:11

CWE-502

[email protected]

web.nvd.nist.gov

apache linkis

mysql connector/j

deserialization vulnerability

remote code execution

cve-2022-39944

nvd

security update

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.3%

JSON

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0.

Affected configurations

Vulners

NVD

Node

apachelinkisRange≤1.2.0

CPENameOperatorVersion
apache:linkisapache linkisle1.2.0

CPE	Name	Operator	Version
apache:linkis	apache linkis	le	1.2.0

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Linkis",
    "versions": [
      {
        "version": "Apache Linkis",
        "status": "affected",
        "lessThanOrEqual": "1.2.0",
        "versionType": "custom"
      }
    ]
  }
]