GHSA-qm2h-m799-86rc

Suggest an improvement
Source
https://github.com/advisories/GHSA-qm2h-m799-86rc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qm2h-m799-86rc/GHSA-qm2h-m799-86rc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qm2h-m799-86rc
Aliases
Published
2023-04-10T09:30:15Z
Modified
2024-02-21T05:39:25.564201Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Linkis JDBC EngineConn has deserialization vulnerability
Details

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EngineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Users should upgrade their version of Linkis to version 1.3.2.

Database specific
{
    "nvd_published_at": "2023-04-10T08:15:00Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-10T20:21:26Z"
}
References

Affected packages

Maven / org.apache.linkis:linkis-engineconn

Package

Name
org.apache.linkis:linkis-engineconn
View open source insights on deps.dev
Purl
pkg:maven/org.apache.linkis/linkis-engineconn

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.2

Affected versions

1.*

1.0.3
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.3.0
1.3.1