CVE-2023-49566

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-49566
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49566.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-49566
Aliases
Published
2024-07-15T08:15:02Z
Modified
2025-03-27T16:15:20Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious

db2

parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted. 

This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.

Versions of Apache Linkis

<=1.5.0

will be affected. We recommend users upgrade the version of Linkis to version 1.6.0.

References

Affected packages

Git / github.com/apache/incubator-linkis

Affected ranges

Type
GIT
Repo
https://github.com/apache/incubator-linkis
Events
Introduced
7f3c1a9b28c450ed10d5bb73594d8193273ccb48
Fixed
9be69de555a4539c73b56dd44c798026596f0f54