Apache Linkis (incubating): The DatasourceManager module has a serialization attack vulnerability
CVE-2022-44645

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Linkis (incubating)
Vendor: CVE Published:; 31 January 2023

Summary

Apache Linkis versions up to 1.3.0 contain a deserialization vulnerability when integrated with MySQL Connector/J. If an attacker possesses write access to the database and configures a new datasource with malicious parameters, they may exploit this flaw to execute arbitrary code remotely. To mitigate this issue, it is crucial to blacklist certain parameters within the JDBC URL and upgrade to Linkis version 1.3.1 or later.

Affected Version(s)

Apache Linkis (incubating) 0 <= 1.3.0

References

https://lists.apache.org/thread/zlcfmvt65blqc4n6fxypg6f0n...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 31, 2023
Vulnerability Reserved
Nov 3, 2022

Credit

Tian Xin WU (Bearcat) , Vulnerability Researcher at Numen Cyber Labs, Singapore.

Department of Cyber Security Research (Jumbo, Unc1e)

s3gundo of Hundsun Tech