{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/17305?format=json","vulnerability_id":"VCID-up1e-7r5s-jbgr","summary":"Apache Linkis JDBC EngineConn has deserialization vulnerability\nIn Apache Linkis <=1.3.1, due to the lack of effective filtering\nof parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a\ndeserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be block listed. Versions of Apache Linkis <= 1.3.0 will be affected.\nWe recommend users upgrade the version of Linkis to version 1.3.2.","aliases":[{"alias":"CVE-2023-29215"},{"alias":"GHSA-qm2h-m799-86rc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63391?format=json","purl":"pkg:maven/org.apache.linkis/linkis@1.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.linkis/linkis@1.3.2"},{"url":"http://public2.vulnerablecode.io/api/packages/63384?format=json","purl":"pkg:maven/org.apache.linkis/linkis-engineconn@1.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.linkis/linkis-engineconn@1.3.2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63390?format=json","purl":"pkg:maven/org.apache.linkis/linkis@1.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-k2nt-5799-zfcq"},{"vulnerability":"VCID-up1e-7r5s-jbgr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.linkis/linkis@1.3.1"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29215","reference_id":"","reference_type":"","scores":[{"value":"0.04863","scoring_system":"epss","scoring_elements":"0.89712","published_at":"2026-05-30T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29215"},{"reference_url":"https://github.com/apache/linkis","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/linkis"},{"reference_url":"https://github.com/apache/linkis/commit/7005c01d7f7bca78322447f4f2f32b8398645687","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/linkis/commit/7005c01d7f7bca78322447f4f2f32b8398645687"},{"reference_url":"https://linkis.apache.org/download/release-notes-1.3.2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://linkis.apache.org/download/release-notes-1.3.2"},{"reference_url":"https://lists.apache.org/thread/o682wz1ggq491ybvjwokxvcdtnzo76ls","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-22T15:26:45Z/"}],"url":"https://lists.apache.org/thread/o682wz1ggq491ybvjwokxvcdtnzo76ls"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/04/10/4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-22T15:26:45Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/04/10/4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29215","reference_id":"CVE-2023-29215","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29215"},{"reference_url":"https://github.com/advisories/GHSA-qm2h-m799-86rc","reference_id":"GHSA-qm2h-m799-86rc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qm2h-m799-86rc"}],"weaknesses":[{"cwe_id":502,"name":"Deserialization of Untrusted Data","description":"The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"9.0 - 10.0","exploitability":"0.5","weighted_severity":"0.0","risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-up1e-7r5s-jbgr"}