CVE-2022-39944

Summary: CVE-2022-39944 affects Apache Linkis <= 1.2.0 when used with MySQL Connector/J, enabling a deserialization vulnerability that can lead to remote code execution if an attacker has write access to a database and provides malicious parameters in a JDBC EC with a MySQL data source. The is...

CVE-2023-29216

In Apache Linkis, the DatasourceManager module (<=1.3.1) suffers a deserialization vulnerability caused by unfiltered parameters, enabling an attacker to configure a new data source via the MySQL data source and trigger remote code execution. Affected versions: Linkis 1.3.1 and earlier (

CVE-2023-46801

Apache Linkis vulnerable to remote code execution in the DataSource MySQL handler for versions = 1.8.0_241 and/or upgrade Linkis to version 1.6.0. If upgrading is not immediately possible, validate and restrict JRMP usage and account privileges to reduce exposure. If exploitation details are not ...

CVE-2023-50740

CVE-2023-50740 affects Apache Linkis

CVE-2023-41916

CVE-2023-41916 affects Apache Linkis DataSource Manager: inadequate filtering of parameters allows an authorized attacker to configure malicious MySQL JDBC parameters and trigger arbitrary file reads in Linkis

CVE-2024-45627

Summary (CVE-2024-45627) In Apache Linkis, versions earlier than 1.7.0 are vulnerable due to insufficient filtering of parameters in the DataSource Manager’s MySQL JDBC configuration. An attacker with an authorized Linkis account can configure malicious MySQL JDBC parameters to read arbitrary fil...

CVE-2022-44644

CVE-2022-44644 — Apache Linkis local file read vulnerability . Affected: Apache Linkis

CVE-2022-44645

CVE-2022-44645 affects Apache Linkis

CVE-2024-39928

Summary of CVE-2024-39928 (Apache Linkis Spark EngineConn) Affected software: Apache Linkis Spark EngineConn in versions up to 1.5.0 (engine component referenced as EngineConn/Spark EngineConn). Vulnerability: Random string generation for Py4j token uses Commons Lang’s RandomStringUtils, enabling...

CVE-2023-49566

CVE-2023-49566 affects Apache Linkis 1.5.0 and earlier, specifically the DataSource Manager Module where DB2 URL parameters can be crafted to trigger a JNDI injection due to insufficient filtering. The attack requires an attacker with an authorized Linkis account and can enable exploitation throu...

CVE-2023-27602

Summary: CVE-2023-27602 affects Apache Linkis <= 1.3.1, where the PublicService module allows uploading files without restrictions on path or type. This may enable arbitrary file uploads and, per CNVD, could lead to remote code execution. Impact (as stated): Potential total impact via arbitrar...

CVE-2023-27603

CVE-2023-27603 affects Apache Linkis

CVE-2023-29215

Affected software : Apache Linkis 1.3.1 and earlier (<= 1.3.1;

CVE-2023-27987

CVE-2023-27987 affects Apache Linkis

CVE-2024-27181

CVE-2024-27181 affects Apache Linkis prior to 1.6.0. The issue is privilege escalation in the Basic management services where an attacker with a trusted account can access Linkis token information, elevating privileges. The root cause is elevation of privilege through trusted-account access to se...

CVE-2024-27182

CVE-2024-27182 affects Apache Linkis

CVE-2025-29847

CVE-2025-29847 (Apache Linkis) : A vulnerability in Apache Linkis where, when using the JDBC engine and data source, multiple URL-encoded parameters on the frontend can bypass checks and allow unauthorized access to system files via JDBC parameters. Affected versions: 1.3.0–1.7.0. Impact: potenti...

CVE-2025-59355

Apache Linkis CVE-2025-59355 affects 1.0.0–1.7.0, where HiveUtils.decode() may log the full input parameter on Base64 decode failure, risking leakage of sensitive values (e.g., hive-site.xml passwords) if error logs are readable. A fix is available in 1.8.0+ that desensitizes the log (logger.erro...