Back

CVE-2023-49566

July 15, 2024, 1 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Apache Linkis

  • <=1.5.0

Source

security@apache.org

Tags

security@apache.org
CWE-502
2024-07-15
CVE-2023-49566

CVE-2023-49566 details

Published : July 15, 2024, 8:15 a.m.
Last Modified : July 15, 2024, 1 p.m.

Description

In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted.  This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis <=1.5.0 will be affected. We recommend users upgrade the version of Linkis to version 1.6.0.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-502 Deserialization of Untrusted Data The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

URL Source
https://lists.apache.org/thread/t68yy52lmv7pxgrxnq6rw7rwvk9tb1xj security@apache.org
This website uses the NVD API, but is not approved or certified by it.