oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-46801: Apache Linkis DataSource: Remote code execution vulnerability in apache Linkis 1.4.0

From: Heping Wang <peacewong () apache org>
Date: Sat, 13 Jul 2024 14:58:25 +0000
Severity: moderate

Affected versions:

- Apache Linkis DataSource 1.4.0 before 1.6.0

Description:

In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution 
vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject 
malicious files into the server and execute them. 

This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.  We 
recommend that users upgrade the java version to >= 1.8.0_241. Or users upgrade Linkis to version 1.6.0.

Credit:

Pho3n1x  (reporter)

References:

https://linkis.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-46801
Previous By Date Next
Previous By Thread Next

Current thread: