CVE-2023-27603

2023-04-1008:15:07

CWE-22

[email protected]

web.nvd.nist.gov

apache linkis

rce

cve-2023-27603

zip slip

nvd

security

upgrade

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.016 Low

EPSS

Percentile

87.6%

JSON

In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability.

We recommend users upgrade the version of Linkis to version 1.3.2.

Affected configurations

Vulners

NVD

Node

apachelinkisRange≤1.3.1

CPENameOperatorVersion
apache:linkisapache linkisle1.3.1

CPE	Name	Operator	Version
apache:linkis	apache linkis	le	1.3.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Linkis",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.3.1",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]