Lucene search

[email protected]NVD:CVE-2023-29215

HistoryApr 10, 2023 - 8:15 a.m.

CVE-2023-29215

2023-04-1008:15:07

CWE-502

[email protected]

web.nvd.nist.gov

apache linkis

deserialization vulnerability

jdbc eengineconn module

remote code execution

mysql jdbc parameters

blacklisting

upgrade

version 1.3.2

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.024

Percentile

89.9%

JSON

In Apache Linkis <=1.3.1, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a
deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.3.2.

Affected configurations

Nvd

Node

apachelinkisRange≤1.3.1

VendorProductVersionCPE
apachelinkis*cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	linkis	*	cpe:2.3:a:apache:linkis::::::::

References

www.openwall.com/lists/oss-security/2023/04/10/4

lists.apache.org/thread/o682wz1ggq491ybvjwokxvcdtnzo76ls

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.7

Confidence

High

EPSS

0.024

Percentile

89.9%

JSON

Related for NVD:CVE-2023-29215

cve1 osv2 github1 cnvd1 prion1 veracode1 cvelist1