CVE-2023-49566

15.07.2024, 08:15

In Apache Linkis <=1.5.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious 

db2

 parameters in the DataSource Manager Module will resultin jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted.

This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.

 Versions of Apache Linkis 

<=1.5.0

 will be affected.
We recommend users upgrade the version of Linkis to version 1.6.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
apache	CNA	---				---
CISA-ADP	ADP	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 71%

Vendor	Product	Version
apache	linkis	1.4.0 ≤ 𝑥 < 1.6.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://lists.apache.org/thread/t68yy52lmv7pxgrxnq6rw7rwvk9tb1xj

http://www.openwall.com/lists/oss-security/2024/07/13/5

https://lists.apache.org/thread/t68yy52lmv7pxgrxnq6rw7rwvk9tb1xj