Headline
GHSA-x84r-jrqm-3hj8: Apache Linkis Unrestricted File Upload vulnerability
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.
We recommend users upgrade the version of Linkis to version 1.3.2.
For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties
wds.linkis.workspace.filesystem.owner.check=true
wds.linkis.workspace.filesystem.path.check=true
Package
maven org.apache.linkis:linkis (Maven)
Affected versions
< 1.3.2
Patched versions
1.3.2
Description
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.
We recommend users upgrade the version of Linkis to version 1.3.2.
For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties
wds.linkis.workspace.filesystem.owner.check=true
wds.linkis.workspace.filesystem.path.check=true
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-27602
- https://lists.apache.org/thread/wt70jfc0yfs6s5g0wg5dr5klnc48nsp1
Published by the National Vulnerability Database
Apr 10, 2023
Published to the GitHub Advisory Database
Jul 6, 2023
Reviewed
Jul 6, 2023
Last updated
Jul 6, 2023
Related news
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true`