CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
39.9%
org.apache.linkis: linkis-datasource is vulnerable to Remote Code Execution (RCE). The vulnerability is due to improper deserialization of untrusted data in the data source management module when adding a MySQL data source. If an attacker obtains an authorized linkis account, they can exploit JRMP to inject and execute malicious files on the server. Note that this vulnerability is only exploitable on java versions < 1.8.0 patch version 241.