Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xbTJoLW03OTktODZyY84AAypA

Apache Linkis JDBC EngineConn has deserialization vulnerability

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EngineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Users should upgrade their version of Linkis to version 1.3.2.

Permalink: https://github.com/advisories/GHSA-qm2h-m799-86rc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xbTJoLW03OTktODZyY84AAypA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.02084
EPSS Percentile: 0.895

Identifiers: GHSA-qm2h-m799-86rc, CVE-2023-29215
References: Repository: https://github.com/apache/linkis
Blast Radius: 1.0

Affected Packages

maven:org.apache.linkis:linkis-engineconn
Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.3.2
Fixed in: 1.3.2
All affected versions: 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.3.0, 1.3.1
All unaffected versions: 1.3.2, 1.4.0, 1.5.0, 1.6.0