In Apache Linkis <=1.5.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious
db2
parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted.
This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.
Versions of Apache Linkis
<=1.5.0
will be affected.
We recommend users upgrade the version of Linkis to version 1.6.0.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/t68yy52lmv7pxgrxnq6rw7rwvk9tb1xj | Mailing List Vendor Advisory |
Configurations
History
16 Jul 2024, 18:06
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
Summary |
|
|
References | () https://lists.apache.org/thread/t68yy52lmv7pxgrxnq6rw7rwvk9tb1xj - Mailing List, Vendor Advisory | |
CPE | cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:* | |
First Time |
Apache linkis
Apache |
15 Jul 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-15 08:15
Updated : 2024-07-16 18:06
NVD link : CVE-2023-49566
Mitre link : CVE-2023-49566
CVE.ORG link : CVE-2023-49566
JSON object : View
Products Affected
apache
- linkis
CWE
CWE-502
Deserialization of Untrusted Data