CVE-2024-45627

14.01.2025, 17:15

In Apache Linkis <1.7.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will

allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.7.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.7.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
apache	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	5.9 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Vendor	Product	Version
apache	linkis	𝑥 < 1.7.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-552 - Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.

References

https://lists.apache.org/thread/0zzx8lldwoqgzq98mg61hojgpvn76xsh

http://www.openwall.com/lists/oss-security/2025/01/14/1