Lucene search

GitHub Advisory DatabaseGHSA-4X5H-XMV4-99WX

HistoryJul 06, 2023 - 7:24 p.m.

Apache Linkis Authentication Bypass vulnerability

2023-07-0619:24:13

CWE-294

GitHub Advisory Database

github.com

apache linkis

authentication bypass

default token

upgrade

version 1.3.2

token authorization

software

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.005

Percentile

77.1%

JSON

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values.

We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization.

Affected configurations

Vulners

Node

org.apache.linkislinkisRange<1.3.2

VendorProductVersionCPE
org.apache.linkislinkis*cpe:2.3:a:org.apache.linkis:linkis:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.linkis	linkis	*	cpe:2.3:a:org.apache.linkis:linkis::::::::

References

github.com/advisories/GHSA-4x5h-xmv4-99wx

linkis.apache.org/docs/latest/auth/token

lists.apache.org/thread/3cr1cz3210wzwngldwrqzm43vwhghp0p

nvd.nist.gov/vuln/detail/CVE-2023-27987

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.005

Percentile

77.1%

JSON

Related for GHSA-4X5H-XMV4-99WX