Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h6w8-52mq-4qxc: Apache Linkis contains Deserialization of Untrusted Data

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.

ghsa
#sql#vulnerability#apache#git#java#rce#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-44645

Apache Linkis contains Deserialization of Untrusted Data

High severity GitHub Reviewed Published Jan 31, 2023 to the GitHub Advisory Database • Updated Feb 2, 2023

Package

maven org.apache.linkis:linkis (Maven)

Affected versions

< 1.3.1

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2022-44645
  • https://lists.apache.org/thread/zlcfmvt65blqc4n6fxypg6f0ns8fqfz4

Published to the GitHub Advisory Database

Jan 31, 2023

Published by the National Vulnerability Database

Jan 31, 2023

Related news

CVE-2022-44645

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.