CVE-2023-29215 – org.apache.linkis:linkis-engineconn

Package

Manager: maven
Name: org.apache.linkis:linkis-engineconn
Vulnerable Version: >=0 <1.3.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03106 pctl0.86299

Details

Apache Linkis JDBC EngineConn has deserialization vulnerability In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EngineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Users should upgrade their version of Linkis to version 1.3.2.

Metadata

Created: 2023-04-10T09:30:15Z
Modified: 2025-02-13T18:54:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qm2h-m799-86rc/GHSA-qm2h-m799-86rc.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-qm2h-m799-86rc
Finding: F096
Auto approve: 1