Apache Linkis DatasourceManager module has a deserialization command execution
CVE-2023-29216
9.8CRITICAL
Summary
In Apache Linkis versions up to 1.3.1, attackers can exploit a deserialization vulnerability due to insufficient parameter filtering. By using a MySQL data source with malicious configurations, an attacker can potentially execute arbitrary code remotely. Users are advised to upgrade to version 1.3.2 to mitigate this risk.
Affected Version(s)
Apache Linkis 0 <= 1.3.1
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
sw0rd1ight