CVE-2023-41916

15.07.2024, 08:15

In Apache Linkis =1.4.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will triggerarbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.5.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
apache	CNA	---				---
CISA-ADP	ADP	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Vendor	Product	Version
apache	linkis	1.4.0 ≤ 𝑥 < 1.6.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-552 - Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.

References

https://lists.apache.org/thread/dxkpwyoxy1jpdwlpqp15zvo0jxn4v729

http://www.openwall.com/lists/oss-security/2024/07/13/4

https://lists.apache.org/thread/dxkpwyoxy1jpdwlpqp15zvo0jxn4v729