oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-45627: Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability

From: Heping Wang <peacewong () apache org>
Date: Tue, 14 Jan 2025 13:01:00 +0000
Severity: important

Affected versions:

- Apache Linkis Metadata Query Service JDBC 1.5.0 before 1.7.0

Description:

In Apache Linkis <1.7.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will 

allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL 
should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be 
carried out. Versions of Apache Linkis < 1.6.0 will be affected. 
We recommend users upgrade the version of Linkis to version 1.7.0.

Credit:

Le1a (reporter)

References:

https://linkis.apache.org
https://www.cve.org/CVERecord?id=CVE-2024-45627
Previous By Date Next
Previous By Thread Next

Current thread: