Apache Linkis Authentication Bypass vulnerability

2023-07-0619:24:13

Google

osv.dev

apache linkis

authentication bypass

vulnerability

upgrade

token generation

linkis gateway

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

0.005 Low

EPSS

Percentile

77.2%

JSON

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values.

We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization.

CPENameOperatorVersion
org.apache.linkis:linkiseq1.2.0
org.apache.linkis:linkiseq1.1.0
org.apache.linkis:linkiseq1.3.1
org.apache.linkis:linkiseq1.1.2
org.apache.linkis:linkiseq1.3.0
org.apache.linkis:linkiseq1.1.1
org.apache.linkis:linkiseq1.1.3
org.apache.linkis:linkiseq1.0.3

Name	Operator	Version
org.apache.linkis:linkis	eq	1.2.0
org.apache.linkis:linkis	eq	1.1.0
org.apache.linkis:linkis	eq	1.3.1
org.apache.linkis:linkis	eq	1.1.2
org.apache.linkis:linkis	eq	1.3.0
org.apache.linkis:linkis	eq	1.1.1
org.apache.linkis:linkis	eq	1.1.3
org.apache.linkis:linkis	eq	1.0.3