Multiple vulnerabilities in Apache Linkis
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-44644 CVE-2022-44645 |
| CWE-ID | CWE-200 CWE-502 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Linkis Server applications / Application servers |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU74618
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-44644
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to read contents of arbitrary files.
The vulnerability exists due to the MySQL Connector/J in the data source module allows to read local files by adding the "allowLoadLocalInfile" to true in the JDBC parameter. A remote user can view contents of arbitrary files on the system.
Install updates from vendor's website.
Vulnerable software versionsLinkis: 0.5.0 - 1.3.0
CPE2.3- cpe:2.3:a:apache_foundation:linkis:0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:linkis:0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:linkis:0.7.0:*:*:*:*:*:*:*
https://lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85h
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Deserialization of Untrusted Data
EUVDB-ID: #VU74617
Risk: Low
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-44645
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in when used with the MySQL Connector/J. A remote user with write access to the database and ability to configure a MySQL data source and malicious parameters can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsLinkis: 0.5.0 - 1.3.0
CPE2.3- cpe:2.3:a:apache_foundation:linkis:0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:linkis:0.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:linkis:0.7.0:*:*:*:*:*:*:*
https://lists.apache.org/thread/zlcfmvt65blqc4n6fxypg6f0ns8fqfz4
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
