CVE-2023-41916

Source
https://cve.org/CVERecord?id=CVE-2023-41916
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41916.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-41916
Aliases
Published
2024-07-15T07:53:57.843Z
Modified
2026-07-15T02:09:17.741651948Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Apache Linkis DataSource: DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading
Details

In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected.  We recommend users upgrade the version of Linkis to version 1.5.0.

Database specific
{
    "cwe_ids": [
        "CWE-552"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41916.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "1.4.0"
                },
                {
                    "fixed": "1.5.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/linkis

Affected ranges

Type
GIT
Repo
https://github.com/apache/linkis
Events
Database specific
{
    "cpe": "cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.4.0"
        },
        {
            "fixed": "1.6.0"
        }
    ],
    "source": "CPE_RANGE"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41916.json"