Lucene search

ApacheCVE-2023-27987

HistoryApr 10, 2023 - 8:15 a.m.

CVE-2023-27987

2023-04-1008:15:07

CWE-326

apache

web.nvd.nist.gov

cve-2023-27987

apache linkis

token vulnerability

security update

nvd

cve

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.2

Confidence

High

EPSS

0.005

Percentile

77.1%

JSON

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values.

We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization[1]
https://linkis.apache.org/docs/latest/auth/token https://linkis.apache.org/docs/latest/auth/token

Affected configurations

Nvd

Vulners

Node

apachelinkisRange≤1.3.1

VendorProductVersionCPE
apachelinkis*cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	linkis	*	cpe:2.3:a:apache:linkis::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Linkis",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.3.1",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]

References

lists.apache.org/thread/3cr1cz3210wzwngldwrqzm43vwhghp0p

www.openwall.com/lists/oss-security/2023/04/10/3

Social References

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.2

Confidence

High

EPSS

0.005

Percentile

77.1%

JSON

Related for CVE-2023-27987