CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
89.9%
In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EngineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Users should upgrade their version of Linkis to version 1.3.2.
Vendor | Product | Version | CPE |
---|---|---|---|
org.apache.linkis | linkis-engineconn | * | cpe:2.3:a:org.apache.linkis:linkis-engineconn:*:*:*:*:*:*:*:* |
www.openwall.com/lists/oss-security/2023/04/10/4
github.com/advisories/GHSA-qm2h-m799-86rc
github.com/apache/linkis/commit/7005c01d7f7bca78322447f4f2f32b8398645687
linkis.apache.org/download/release-notes-1.3.2/
lists.apache.org/thread/o682wz1ggq491ybvjwokxvcdtnzo76ls
nvd.nist.gov/vuln/detail/CVE-2023-29215