CVE-2023-41916

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-41916

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41916.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-41916

Aliases

GHSA-f22j-9j59-33j4

Published

2024-07-15T08:15:02Z

Modified

2024-10-08T00:03:42Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected. We recommend users upgrade the version of Linkis to version 1.5.0.

References

https://lists.apache.org/thread/dxkpwyoxy1jpdwlpqp15zvo0jxn4v729

Affected packages

Git / github.com/apache/incubator-linkis

Affected ranges

Type: GIT
Repo: https://github.com/apache/incubator-linkis
Events: Introduced

7f3c1a9b28c450ed10d5bb73594d8193273ccb48

Fixed

9be69de555a4539c73b56dd44c798026596f0f54