cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-39928,https://securityvulnerability.io/vulnerability/CVE-2024-39928,Apache Linkis Random String Security Vulnerability,"In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue.",Apache,Apache Linkis Spark Engineconn,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-09-25T01:15:00.000Z,0 CVE-2024-27181,https://securityvulnerability.io/vulnerability/CVE-2024-27181,Privilege Escalation Vulnerability Affects Apache Linkis Versions Below 1.5.0,"In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue.",Apache,Apache Linkis Basic Management Services,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-08-02T10:15:00.000Z,0 CVE-2023-41916,https://securityvulnerability.io/vulnerability/CVE-2023-41916,Arbitrary File Reading Vulnerability in Apache Linkis = 1.4.0,"In Apache Linkis version 1.4.0, a vulnerability exists that allows an attacker with an authorized account to exploit the DataSource Manager Module. The flaw arises from inadequate filtering of parameters in the MySQL JDBC configuration. By injecting malicious parameters, an attacker can trigger arbitrary file reading, which could potentially lead to the disclosure of sensitive information. It is crucial that users upgrade to version 1.5.0 to mitigate this risk and protect their systems.",Apache,Apache Linkis Datasource,6.5,MEDIUM,0.0006300000241026282,false,,false,false,false,,,false,false,,2024-07-15T08:15:00.000Z,0 CVE-2023-49566,https://securityvulnerability.io/vulnerability/CVE-2023-49566,Linkis <=1.5.0 Vulnerable to JNDI Injection due to Inadequate Parameter Filtering,"In Apache Linkis versions up to 1.5.0, a vulnerability arises from insufficient filtering of parameters in the DataSource Manager Module, allowing an attacker with an authorized account to introduce malicious DB2 parameters leading to jndi injection. To mitigate this risk, it is recommended to blacklist parameters within the DB2 URL. Users are advised to upgrade to version 1.6.0 of Apache Linkis for enhanced security.",Apache,Apache Linkis Datasource,8.8,HIGH,0.0008999999845400453,false,,false,false,false,,,false,false,,2024-07-15T08:15:00.000Z,0 CVE-2023-46801,https://securityvulnerability.io/vulnerability/CVE-2023-46801,Apache Linkis Remote Code Execution Vulnerability,"In Apache Linkis versions up to 1.5.0, a vulnerability exists within the data source management module that can lead to remote code execution. This vulnerability affects systems where MySQL data sources are added and is particularly critical for environments running Java versions less than 1.8.0_241. By exploiting a deserialization flaw through the Java Remote Method Protocol (jrmp), an attacker can inject malicious files into the server, potentially executing arbitrary code. Successful exploitation requires the attacker to possess an authorized account within the Linkis environment, emphasizing the need for robust user access controls. To mitigate this risk, it is advised that users upgrade their Java installations to at least version 1.8.0_241 or upgrade to Apache Linkis version 1.6.0 or later.",Apache,Apache Linkis Datasource,8.8,HIGH,0.0008999999845400453,false,,false,false,false,,,false,false,,2024-07-15T08:15:00.000Z,0 CVE-2023-50740,https://securityvulnerability.io/vulnerability/CVE-2023-50740,Linkis Password Printed to Log in Oracle Data Source Vulnerability,"In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module.  We recommend users upgrade the version of Linkis to version 1.5.0 ",Apache,Apache Linkis Datasource,,,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-03-06T13:44:53.867Z,0 CVE-2023-27603,https://securityvulnerability.io/vulnerability/CVE-2023-27603,Apache Linkis Mangaer module engineConn material upload exists Zip Slip issue,"In Apache Linkis version 1.3.1 and earlier, the Manager module's engineConn material upload lacks proper validation for zip file paths. This oversight can lead to a Zip Slip vulnerability, enabling an attacker to exploit the system by executing remote code. Users are advised to upgrade to Apache Linkis version 1.3.2 to mitigate this risk effectively.",Apache,Apache Linkis,9.8,CRITICAL,0.01686999946832657,false,,false,false,false,,,false,false,,2023-04-10T08:15:00.000Z,0 CVE-2023-29215,https://securityvulnerability.io/vulnerability/CVE-2023-29215,Apache Linkis JDBC EngineCon has a deserialization command execution,"In Apache Linkis versions up to and including 1.3.1, a security flaw exists that stems from insufficient filtering of parameters. This vulnerability allows an attacker to inject malicious MySQL JDBC parameters into the JDBC EengineConn Module. As a result, this can trigger a deserialization attack that may lead to remote code execution on affected systems. To mitigate this risk, it is essential to blacklist the parameters within the MySQL JDBC URL. Users are strongly advised to upgrade to Apache Linkis version 1.3.2 or later to ensure their systems are secure.",Apache,Apache Linkis,9.8,CRITICAL,0.01013999991118908,false,,false,false,false,,,false,false,,2023-04-10T08:15:00.000Z,0 CVE-2023-29216,https://securityvulnerability.io/vulnerability/CVE-2023-29216,Apache Linkis DatasourceManager module has a deserialization command execution,"In Apache Linkis versions up to 1.3.1, attackers can exploit a deserialization vulnerability due to insufficient parameter filtering. By using a MySQL data source with malicious configurations, an attacker can potentially execute arbitrary code remotely. Users are advised to upgrade to version 1.3.2 to mitigate this risk.",Apache,Apache Linkis,9.8,CRITICAL,0.01013999991118908,false,,false,false,false,,,false,false,,2023-04-10T08:15:00.000Z,0 CVE-2023-27602,https://securityvulnerability.io/vulnerability/CVE-2023-27602,Apache Linkis publicsercice module unrestricted upload of file,"In Apache Linkis versions up to 1.3.1, the PublicService module allows users to upload files without validating the upload path and file types. This lack of restriction can lead to unauthorized access and manipulation of system files. Users are encouraged to upgrade to Linkis version 1.3.2 for enhanced security. If an upgrade is not immediately feasible, enabling file path checks in the configuration settings of linkis.properties is strongly advised.",Apache,Apache Linkis,9.8,CRITICAL,0.022040000185370445,false,,false,false,false,,,false,false,,2023-04-10T08:15:00.000Z,0 CVE-2023-27987,https://securityvulnerability.io/vulnerability/CVE-2023-27987,Apache Linkis gateway module token authentication bypass,"In Apache Linkis versions up to and including 1.3.1, the default token generated during Linkis Gateway deployment exhibits insufficient complexity, making it susceptible to unauthorized access. Attackers can exploit this vulnerability by easily obtaining the default token. To enhance security, it is crucial to upgrade to version 1.3.2 and modify the default token to include randomized elements, following the guidelines provided in the Token authorization documentation. This proactive approach will help safeguard your systems against potential attacks.",Apache,Apache Linkis,9.1,CRITICAL,0.005309999920427799,false,,false,false,false,,,false,false,,2023-04-10T08:15:00.000Z,0 CVE-2022-44644,https://securityvulnerability.io/vulnerability/CVE-2022-44644,Apache Linkis (incubating): The DatasourceManager module has a Local File Read Vulnerability,"In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.  We recommend users upgrade the version of Linkis to version 1.3.1 ",Apache,Apache Linkis (incubating),6.5,MEDIUM,0.00046999999904073775,false,,false,false,false,,,false,false,,2023-01-31T09:40:52.676Z,0 CVE-2022-44645,https://securityvulnerability.io/vulnerability/CVE-2022-44645,Apache Linkis (incubating): The DatasourceManager module has a serialization attack vulnerability,"Apache Linkis versions up to 1.3.0 contain a deserialization vulnerability when integrated with MySQL Connector/J. If an attacker possesses write access to the database and configures a new datasource with malicious parameters, they may exploit this flaw to execute arbitrary code remotely. To mitigate this issue, it is crucial to blacklist certain parameters within the JDBC URL and upgrade to Linkis version 1.3.1 or later.",Apache,Apache Linkis (incubating),8.8,HIGH,0.0027699999045580626,false,,false,false,false,,,false,false,,2023-01-31T09:38:07.355Z,0 CVE-2022-39944,https://securityvulnerability.io/vulnerability/CVE-2022-39944,The Apache Linkis JDBC EngineConn module has a RCE Vulnerability,"In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0.",Apache,Apache Linkis,8.8,HIGH,0.0016799999866634607,false,,false,false,false,,,false,false,,2022-10-26T00:00:00.000Z,0