Lucene search

ApacheCVE-2022-44644

HistoryJan 31, 2023 - 10:15 a.m.

CVE-2022-44644

2023-01-3110:15:09

CWE-20

apache

web.nvd.nist.gov

cve-2022-44644

apache linkis

mysql connector/j

data source module

file read

upgrade

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

18.6%

JSON

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.

We recommend users upgrade the version of Linkis to version 1.3.1

Affected configurations

Nvd

Vulners

Node

apachelinkisRange≤1.3.0

VendorProductVersionCPE
apachelinkis*cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	linkis	*	cpe:2.3:a:apache:linkis::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Linkis (incubating)",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "1.3.1",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]

References

lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

18.6%

JSON

Related for CVE-2022-44644