Lucene search

GitHub Advisory DatabaseGHSA-H6W8-52MQ-4QXC

HistoryJan 31, 2023 - 12:30 p.m.

Apache Linkis contains Deserialization of Untrusted Data

2023-01-3112:30:24

CWE-502

GitHub Advisory Database

github.com

apache linkis

mysql connector/j

deserialization

remote code execution

vulnerability

version 1.3.0

upgrade

security issue

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

65.9%

JSON

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.

Affected configurations

Vulners

Node

org.apache.linkislinkisRange<1.3.1

VendorProductVersionCPE
org.apache.linkislinkis*cpe:2.3:a:org.apache.linkis:linkis:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.linkis	linkis	*	cpe:2.3:a:org.apache.linkis:linkis::::::::

References

github.com/advisories/GHSA-h6w8-52mq-4qxc

lists.apache.org/thread/zlcfmvt65blqc4n6fxypg6f0ns8fqfz4

nvd.nist.gov/vuln/detail/CVE-2022-44645

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

65.9%

JSON

Related for GHSA-H6W8-52MQ-4QXC