GHSA-7qpc-4xx9-x5qw

Source

https://github.com/advisories/GHSA-7qpc-4xx9-x5qw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-7qpc-4xx9-x5qw/GHSA-7qpc-4xx9-x5qw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7qpc-4xx9-x5qw

Aliases

CVE-2023-49566

Published

2024-07-15T09:36:23Z

Modified

2025-03-27T23:41:45.898477Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Apache Linkis DataSource's JDBC Datasource Module with DB2 has JNDI Injection vulnerability

Details

In Apache Linkis <=1.5.0, due to the lack of effective filteringof parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted.

This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.

Versions of Apache Linkis <=1.5.0 will be affected. We recommend users upgrade the version of Linkis to version 1.6.0.

Database specific

{
    "nvd_published_at": "2024-07-15T08:15:02Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-15T17:40:59Z"
}

References

Affected packages

Maven / org.apache.linkis:linkis-datasource

Package

Name: org.apache.linkis:linkis-datasource; View open source insights on deps.dev
Purl: pkg:maven/org.apache.linkis/linkis-datasource

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.0

Affected versions

1.*

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.5.0