Headline
GHSA-h6w8-52mq-4qxc: Apache Linkis contains Deserialization of Untrusted Data
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-44645
Apache Linkis contains Deserialization of Untrusted Data
High severity GitHub Reviewed Published Jan 31, 2023 to the GitHub Advisory Database • Updated Feb 2, 2023
Package
maven org.apache.linkis:linkis (Maven)
Affected versions
< 1.3.1
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-44645
- https://lists.apache.org/thread/zlcfmvt65blqc4n6fxypg6f0ns8fqfz4
Published to the GitHub Advisory Database
Jan 31, 2023
Published by the National Vulnerability Database
Jan 31, 2023
Related news
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.