Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xbTJoLW03OTktODZyY84AAypA
Apache Linkis JDBC EngineConn has deserialization vulnerability
In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EngineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Users should upgrade their version of Linkis to version 1.3.2.
Permalink: https://github.com/advisories/GHSA-qm2h-m799-86rcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xbTJoLW03OTktODZyY84AAypA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-qm2h-m799-86rc, CVE-2023-29215
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-29215
- https://lists.apache.org/thread/o682wz1ggq491ybvjwokxvcdtnzo76ls
- https://github.com/apache/linkis/commit/7005c01d7f7bca78322447f4f2f32b8398645687
- https://linkis.apache.org/download/release-notes-1.3.2/
- http://www.openwall.com/lists/oss-security/2023/04/10/4
- https://github.com/advisories/GHSA-qm2h-m799-86rc
Blast Radius: 1.0
Affected Packages
maven:org.apache.linkis:linkis-engineconn
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.3.2
Fixed in: 1.3.2
All affected versions: 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.3.0, 1.3.1
All unaffected versions: 1.3.2, 1.4.0, 1.5.0