Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qanZjLXY4Z3ctNTI1Nc4AA949
Apache Linkis DataSource remote code execution vulnerability
In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them.
This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. We recommend that users upgrade the java version to >= 1.8.0_241. Or users upgrade Linkis to version 1.6.0.
Permalink: https://github.com/advisories/GHSA-jjvc-v8gw-5255JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qanZjLXY4Z3ctNTI1Nc4AA949
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-jjvc-v8gw-5255, CVE-2023-46801
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-46801
- https://lists.apache.org/thread/0dnzh64xy1n7qo3rgo2loz9zn7m9xgdx
- https://linkis.apache.org/download/release-notes-1.6.0
- https://github.com/advisories/GHSA-jjvc-v8gw-5255
Affected Packages
maven:org.apache.linkis:linkis-datasource
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 1.4.0, < 1.6.0
Fixed in: 1.6.0
All affected versions: 1.4.0, 1.5.0
All unaffected versions: 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.6.0