CVE-2022-39944 – org.apache.linkis:linkis

Package

Manager: maven
Name: org.apache.linkis:linkis
Vulnerable Version: >=0 <1.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01188 pctl0.78011

Details

Apache Linkis subject to Remote Code Execution via deserialization In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. This issue is patched in version 1.3.0, and users are recommended to upgrade.

Metadata

Created: 2022-10-26T19:00:38Z
Modified: 2022-10-31T15:53:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-3f3w-gmqf-4hj3/GHSA-3f3w-gmqf-4hj3.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-3f3w-gmqf-4hj3
Finding: F096
Auto approve: 1