Linkis Security Vulnerabilities and Issues — Linkis CVE List

Lucene search

ApacheLinkis

16 matches found

CVE•added 2022/10/26 4:15 p.m.•68 views

CVE-2022-39944

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters i...

8.8CVSS8.9AI score0.01384EPSS

CVE•added 2023/04/10 8:15 a.m.•64 views

CVE-2023-29216

In Apache Linkis <=1.3.1, because the parameters are noteffectively filtered, the attacker uses the MySQL data source and malicious parameters toconfigure a new data source to trigger a deserialization vulnerability, eventually leading toremote code execution.Versions of Apache Linkis <= 1.3....

9.8CVSS9.4AI score0.03106EPSS

CVE•added 2024/03/06 2:15 p.m.•61 views

CVE-2023-50740

In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0

5.3CVSS5.2AI score0.00093EPSS

CVE•added 2024/07/15 8:15 a.m.•58 views

CVE-2023-46801

In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them. This attack r...

8.8CVSS8.9AI score0.02464EPSS

CVE•added 2023/01/31 10:15 a.m.•57 views

CVE-2022-44644

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should b...

6.5CVSS6.2AI score0.00113EPSS

CVE•added 2023/04/10 8:15 a.m.•54 views

CVE-2023-27602

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properti...

9.8CVSS9.5AI score0.00358EPSS

CVE•added 2024/07/15 8:15 a.m.•54 views

CVE-2023-41916

In Apache Linkis =1.4.0, due to the lack of effective filteringof parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the...

6.5CVSS6.3AI score0.00252EPSS

CVE•added 2023/01/31 10:15 a.m.•53 views

CVE-2022-44645

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the paramet...

8.8CVSS8.9AI score0.02662EPSS

CVE•added 2024/09/25 1:15 a.m.•51 views

CVE-2024-39928

In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils.Users are recommended to upgrade to version 1.6.0, which fixes this issue.

7.5CVSS7.5AI score0.002EPSS

CVE•added 2024/07/15 8:15 a.m.•50 views

CVE-2023-49566

In Apache Linkis <=1.5.0, due to the lack of effective filteringof parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted. This attack requires the attacker to obt...

8.8CVSS8.8AI score0.00749EPSS

CVE•added 2025/01/14 5:15 p.m.•49 views

CVE-2024-45627

In Apache Linkis <1.7.0, due to the lack of effective filteringof parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be...

5.9CVSS6.3AI score0.0004EPSS

CVE•added 2023/04/10 8:15 a.m.•48 views

CVE-2023-27603

In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. We recommend users upgrade the version of Linkis to version 1.3.2.

9.8CVSS9.5AI score0.0024EPSS

CVE•added 2023/04/10 8:15 a.m.•42 views

CVE-2023-27987

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to version 1.3.2 And modify...

9.1CVSS9.2AI score0.00096EPSS

CVE•added 2023/04/10 8:15 a.m.•42 views

CVE-2023-29215

In Apache Linkis <=1.3.1, due to the lack of effective filteringof parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger adeserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC ...

9.8CVSS9.8AI score0.03106EPSS

CVE•added 2024/08/02 10:15 a.m.•38 views

CVE-2024-27181

In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue.

8.8CVSS6.5AI score0.00312EPSS

CVE•added 2024/08/02 10:16 a.m.•36 views

CVE-2024-27182

In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user .Users are recommended to upgrade to version 1.6.0, which fixes this issue.

4.9CVSS6.5AI score0.00384EPSS