7 matches found
CVE-2023-29216
In Apache Linkis <=1.3.1, because the parameters are noteffectively filtered, the attacker uses the MySQL data source and malicious parameters toconfigure a new data source to trigger a deserialization vulnerability, eventually leading toremote code execution.Versions of Apache Linkis
CVE-2022-44644
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should b...
CVE-2023-27602
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions
CVE-2022-44645
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the paramet...
CVE-2023-27603
In Apache Linkis
CVE-2023-27987
In Apache Linkis
CVE-2023-29215
In Apache Linkis <=1.3.1, due to the lack of effective filteringof parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger adeserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC ...