Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04Y3ZxLTNqanAtcGg5cM4ABDUB
Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability
Affected versions:
- Apache Linkis Metadata Query Service JDBC 1.5.0 before 1.7.0
Description:
In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.6.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.7.0.
Permalink: https://github.com/advisories/GHSA-8cvq-3jjp-ph9pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04Y3ZxLTNqanAtcGg5cM4ABDUB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 days ago
Updated: 3 days ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Percentage: 0.00043
EPSS Percentile: 0.11266
Identifiers: GHSA-8cvq-3jjp-ph9p, CVE-2024-45627
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-45627
- https://lists.apache.org/thread/0zzx8lldwoqgzq98mg61hojgpvn76xsh
- http://www.openwall.com/lists/oss-security/2025/01/14/1
- https://github.com/advisories/GHSA-8cvq-3jjp-ph9p
Affected Packages
maven:org.apache.linkis:linkis-metadata-query-service-jdbc
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 1.5.0, < 1.7.0
Fixed in: 1.7.0
All affected versions: 1.5.0, 1.6.0
All unaffected versions: 1.3.1, 1.3.2, 1.4.0, 1.7.0