GHSA-3f3w-gmqf-4hj3

Source

https://github.com/advisories/GHSA-3f3w-gmqf-4hj3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-3f3w-gmqf-4hj3/GHSA-3f3w-gmqf-4hj3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3f3w-gmqf-4hj3

Aliases

CVE-2022-39944

Published

2022-10-26T19:00:38Z

Modified

2023-11-08T04:10:21.569677Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Apache Linkis subject to Remote Code Execution via deserialization

Details

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. This issue is patched in version 1.3.0, and users are recommended to upgrade.

Database specific

{
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2022-10-26T16:15:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "github_reviewed_at": "2022-10-27T18:40:10Z"
}

References

Affected packages

Maven / org.apache.linkis:linkis

Package

Name: org.apache.linkis:linkis; View open source insights on deps.dev
Purl: pkg:maven/org.apache.linkis/linkis

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.0

Affected versions

1.*

1.0.3

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-3f3w-gmqf-4hj3/GHSA-3f3w-gmqf-4hj3.json"