In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.
{ "nvd_published_at": "2023-01-31T10:15:00Z", "github_reviewed_at": "2023-02-02T00:09:05Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-502" ] }