Apache Linkis publicsercice module unrestricted upload of file
CVE-2023-27602

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Linkis
Vendor: CVE Published:; 10 April 2023

Summary

In Apache Linkis versions up to 1.3.1, the PublicService module allows users to upload files without validating the upload path and file types. This lack of restriction can lead to unauthorized access and manipulation of system files. Users are encouraged to upgrade to Linkis version 1.3.2 for enhanced security. If an upgrade is not immediately feasible, enabling file path checks in the configuration settings of linkis.properties is strongly advised.

Affected Version(s)

Apache Linkis 0 <= 1.3.1

References

https://lists.apache.org/thread/wt70jfc0yfs6s5g0wg5dr5kln...

mailing-listvendor-advisory

http://www.openwall.com/lists/oss-security/2023/04/10/1

http://www.openwall.com/lists/oss-security/2023/04/18/4

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 10, 2023
Vulnerability Reserved
Mar 4, 2023

Credit

Laihan