Vulnerabilites related to Apache Software Foundation - Apache Linkis Basic management services
CVE-2024-27181 (GCVE-0-2024-27181)
Vulnerability from cvelistv5
Published
2024-08-02 09:27
Modified
2024-08-12 19:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
In Apache Linkis <= 1.5.0,
Privilege Escalation in Basic management services where the attacking user is
a trusted account
allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/hosd73l7hxb3rpt5rb0yg0ld11zph4c6 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Linkis Basic management services |
Version: 1.3.2 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "linkis",
"vendor": "apache",
"versions": [
{
"lessThan": "1.6.0",
"status": "affected",
"version": "1.3.2",
"versionType": "maven"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27181",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T13:50:17.045234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T19:53:28.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:03:23.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/08/02/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.linkis:linkis-pes-publicservice",
"product": "Apache Linkis Basic management services",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "1.6.0",
"status": "affected",
"version": "1.3.2",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "superx"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Apache Linkis \u0026lt;= 1.5.0,\n\nPrivilege Escalation in Basic management services where the attacking user is \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ea trusted account\u003c/span\u003e\n\n allows access to Linkis\u0027s Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue."
}
],
"value": "In Apache Linkis \u003c= 1.5.0,\n\nPrivilege Escalation in Basic management services where the attacking user is \n\na trusted account\n\n allows access to Linkis\u0027s Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T09:27:48.639Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/hosd73l7hxb3rpt5rb0yg0ld11zph4c6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Linkis Basic management services: Privilege Escalation Attack vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27181",
"datePublished": "2024-08-02T09:27:48.639Z",
"dateReserved": "2024-02-21T03:03:36.039Z",
"dateUpdated": "2024-08-12T19:53:28.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}