In Apache Linkis <1.7.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will
allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.7.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.7.0.
CVSS Score
5.9
EPSS Score
0.0
Published
2025-01-14
In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils.
Users are recommended to upgrade to version 1.6.0, which fixes this issue.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-09-25
In Apache Linkis <= 1.5.0,
Arbitrary file deletion in Basic management services on
A user with an administrator account could delete any file accessible by the Linkis system user
.
Users are recommended to upgrade to version 1.6.0, which fixes this issue.
CVSS Score
4.9
EPSS Score
0.004
Published
2024-08-02
In Apache Linkis <= 1.5.0,
Privilege Escalation in Basic management services where the attacking user is
a trusted account
allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue.
CVSS Score
8.8
EPSS Score
0.003
Published
2024-08-02
In Apache Linkis =1.4.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.5.0.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-07-15
In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them.
This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. We recommend that users upgrade the java version to >= 1.8.0_241. Or users upgrade Linkis to version 1.6.0.
CVSS Score
8.8
EPSS Score
0.025
Published
2024-07-15
In Apache Linkis <=1.5.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious
db2
parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted.
This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.
Versions of Apache Linkis
<=1.5.0
will be affected.
We recommend users upgrade the version of Linkis to version 1.6.0.
CVSS Score
8.8
EPSS Score
0.007
Published
2024-07-15
In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module.
We recommend users upgrade the version of Linkis to version 1.5.0
CVSS Score
5.3
EPSS Score
0.001
Published
2024-03-06
In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability.
We recommend users upgrade the version of Linkis to version 1.3.2.
CVSS Score
9.8
EPSS Score
0.002
Published
2023-04-10
In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values.
We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization[1]
https://linkis.apache.org/docs/latest/auth/token https://linkis.apache.org/docs/latest/auth/token
CVSS Score
9.1
EPSS Score
0.001
Published
2023-04-10
Page 1