Apache Linkis Mangaer module engineConn material upload exists Zip Slip issue
CVE-2023-27603

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Linkis
Vendor: CVE Published:; 10 April 2023

Summary

In Apache Linkis version 1.3.1 and earlier, the Manager module's engineConn material upload lacks proper validation for zip file paths. This oversight can lead to a Zip Slip vulnerability, enabling an attacker to exploit the system by executing remote code. Users are advised to upgrade to Apache Linkis version 1.3.2 to mitigate this risk effectively.

Affected Version(s)

Apache Linkis 0 <= 1.3.1

References

https://lists.apache.org/thread/6n1vlvnyn441rm02zdqc0wnpc...

mailing-listvendor-advisory

https://www.openwall.com/lists/oss-security/2023/04/10/2

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 10, 2023
Vulnerability Reserved
Mar 4, 2023

Credit

4ra1n