Search for packages
| purl | pkg:maven/org.apache.linkis/linkis@1.1.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-28b1-qt5r-v3f2
Aliases: CVE-2023-50740 GHSA-m757-p8rv-4q93 |
Apache Linkis DataSource: DataSource module Oracle SQL Database Password Logged In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0 |
Affected by 3 other vulnerabilities. |
|
VCID-4qm8-61y3-nqe7
Aliases: CVE-2022-44645 GHSA-h6w8-52mq-4qxc |
Deserialization of Untrusted Data In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be block listed. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1. |
Affected by 9 other vulnerabilities. |
|
VCID-4tk2-kdjk-23a1
Aliases: CVE-2023-27602 GHSA-x84r-jrqm-3hj8 |
Apache Linkis Unrestricted File Upload vulnerability In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true` |
Affected by 4 other vulnerabilities. |
|
VCID-9x73-dsqh-zybf
Aliases: CVE-2023-27987 GHSA-4x5h-xmv4-99wx |
Apache Linkis Authentication Bypass vulnerability In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization. |
Affected by 4 other vulnerabilities. |
|
VCID-auhs-h5j3-zba8
Aliases: CVE-2022-39944 GHSA-3f3w-gmqf-4hj3 |
Affected by 11 other vulnerabilities. |
|
|
VCID-d6jw-6tf4-4kec
Aliases: CVE-2023-27603 GHSA-pj5j-w7mw-w797 |
Apache Linkis Zip Slip issue In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. We recommend users upgrade the version of Linkis to version 1.3.2. |
Affected by 4 other vulnerabilities. |
|
VCID-k2nt-5799-zfcq
Aliases: CVE-2023-29216 GHSA-rrhf-32rq-f28h |
Apache Linkis DatasourceManager module has deserialization vulnerability In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker can use the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution. Users should upgrade their version of Linkis to version 1.3.2. |
Affected by 4 other vulnerabilities. |
|
VCID-kebp-2per-ayg5
Aliases: CVE-2024-27181 GHSA-v352-rg37-5q5m |
Affected by 1 other vulnerability. |
|
|
VCID-t751-vbrf-pydw
Aliases: CVE-2022-44644 GHSA-rx76-xw35-6rh8 |
Exposure of Sensitive Information to an Unauthorized Actor In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, an authenticated attacker could read arbitrary local file by connecting a rogue mysql server, By adding allowLoadLocalInfile to true in the jdbc parameter. Therefore, the parameters in the jdbc url should be block listed. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3 |
Affected by 9 other vulnerabilities. |
|
VCID-up1e-7r5s-jbgr
Aliases: CVE-2023-29215 GHSA-qm2h-m799-86rc |
Apache Linkis JDBC EngineConn has deserialization vulnerability In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be block listed. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.2. |
Affected by 4 other vulnerabilities. |
|
VCID-uua2-ba2j-mqgb
Aliases: CVE-2024-27182 GHSA-j6vx-r77h-44wc |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||