Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-x84r-jrqm-3hj8: Apache Linkis Unrestricted File Upload vulnerability

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.

We recommend users upgrade the version of Linkis to version 1.3.2.

For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties

wds.linkis.workspace.filesystem.owner.check=true wds.linkis.workspace.filesystem.path.check=true

ghsa
#vulnerability#apache#git#java#maven

Package

maven org.apache.linkis:linkis (Maven)

Affected versions

< 1.3.2

Patched versions

1.3.2

Description

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.

We recommend users upgrade the version of Linkis to version 1.3.2.

For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties

wds.linkis.workspace.filesystem.owner.check=true
wds.linkis.workspace.filesystem.path.check=true

References

  • https://nvd.nist.gov/vuln/detail/CVE-2023-27602
  • https://lists.apache.org/thread/wt70jfc0yfs6s5g0wg5dr5klnc48nsp1

Published by the National Vulnerability Database

Apr 10, 2023

Published to the GitHub Advisory Database

Jul 6, 2023

Reviewed

Jul 6, 2023

Last updated

Jul 6, 2023

Related news

CVE-2023-27602

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2.  For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true`

ghsa: Latest News

GHSA-49cc-xrjf-9qf7: SFTPGo allows administrators to restrict command execution from the EventManager