Products
Apache Linkis
- <= 1.5.0
Source
security@apache.org
Tags
CVE-2024-39928 details
Published : Sept. 25, 2024, 1:15 a.m.
Last Modified : Sept. 25, 2024, 1:36 a.m.
Last Modified : Sept. 25, 2024, 1:36 a.m.
Description
In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7.5 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-326 | Inadequate Encryption Strength | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
Base Score
7.5
Exploitability Score
3.9
Impact Score
3.6
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
URL | Source |
---|---|
https://lists.apache.org/thread/g664n13nb17rsogcfrn8kjgd8m89p8nw | security@apache.org |
This website uses the NVD API, but is not approved or certified by it.