Vulnerabilites related to Apache Software Foundation - Apache Linkis (incubating)
cve-2022-44644
Vulnerability from cvelistv5
Published
2023-01-31 09:40
Modified
2024-08-03 13:54
Severity ?
EPSS score ?
Summary
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.3.1
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Linkis (incubating) |
Version: 0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:54:03.937Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Linkis (incubating)", vendor: "Apache Software Foundation", versions: [ { lessThan: "1.3.1", status: "affected", version: "0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Department of Cyber Security Research (Jumbo, Unc1e), Beijing Zhiqian Technology Co., LTD", }, { lang: "en", type: "reporter", value: "s3gundo of Hundsun Tech ", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. <br><br><span style=\"background-color: rgb(255, 255, 255);\">We recommend users upgrade the version of Linkis to version 1.3.1</span><br>", }, ], value: "In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. \n\nWe recommend users upgrade the version of Linkis to version 1.3.1\n", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-03-15T08:36:52.828Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Linkis (incubating): The DatasourceManager module has a Local File Read Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-44644", datePublished: "2023-01-31T09:40:52.676Z", dateReserved: "2022-11-03T08:44:03.767Z", dateUpdated: "2024-08-03T13:54:03.937Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-44645
Vulnerability from cvelistv5
Published
2023-01-31 09:38
Modified
2024-08-03 13:54
Severity ?
EPSS score ?
Summary
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.
We recommend users to upgrade the version of Linkis to version 1.3.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/zlcfmvt65blqc4n6fxypg6f0ns8fqfz4 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Linkis (incubating) |
Version: 0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:54:03.985Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.apache.org/thread/zlcfmvt65blqc4n6fxypg6f0ns8fqfz4", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Apache Linkis (incubating)", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "1.3.0", status: "affected", version: "0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "reporter", value: "Tian Xin WU (Bearcat) , Vulnerability Researcher at Numen Cyber Labs, Singapore.", }, { lang: "en", type: "remediation developer", value: "Department of Cyber Security Research (Jumbo, Unc1e)", }, { lang: "en", type: "remediation developer", value: "s3gundo of Hundsun Tech ", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.<br><br>We recommend users to upgrade the version of Linkis to version 1.3.1.<br>", }, ], value: "In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.\n\nWe recommend users to upgrade the version of Linkis to version 1.3.1.\n", }, ], metrics: [ { other: { content: { text: "important", }, type: "Textual description of severity", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-01-31T09:38:07.355Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "vendor-advisory", ], url: "https://lists.apache.org/thread/zlcfmvt65blqc4n6fxypg6f0ns8fqfz4", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Linkis (incubating): The DatasourceManager module has a serialization attack vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-44645", datePublished: "2023-01-31T09:38:07.355Z", dateReserved: "2022-11-03T08:45:25.305Z", dateUpdated: "2024-08-03T13:54:03.985Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }