Apache Linkis Remote Code Execution Vulnerability
CVE-2023-46801

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Linkis Datasource
Vendor: CVE Published:; 15 July 2024

Summary

In Apache Linkis versions up to 1.5.0, a vulnerability exists within the data source management module that can lead to remote code execution. This vulnerability affects systems where MySQL data sources are added and is particularly critical for environments running Java versions less than 1.8.0_241. By exploiting a deserialization flaw through the Java Remote Method Protocol (jrmp), an attacker can inject malicious files into the server, potentially executing arbitrary code. Successful exploitation requires the attacker to possess an authorized account within the Linkis environment, emphasizing the need for robust user access controls. To mitigate this risk, it is advised that users upgrade their Java installations to at least version 1.8.0_241 or upgrade to Apache Linkis version 1.6.0 or later.

Affected Version(s)

Apache Linkis DataSource 1.4.0 < 1.6.0

References

https://lists.apache.org/thread/0dnzh64xy1n7qo3rgo2loz9zn...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 15, 2024

Credit

Pho3n1x