CVE-2023-41916

EPSS 0.17%
Veröffentlicht 15.07.2024 08:15:02
Zuletzt bearbeitet 14.03.2025 16:15:27
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

In Apache Linkis =1.4.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected. 
We recommend users upgrade the version of Linkis to version 1.5.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Linkis Version >= 1.4.0 < 1.6.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.388

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-552 Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

https://lists.apache.org/thread/dxkpwyoxy1jpdwlpqp15zvo0jxn4v729

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/13/4

https://nvd.nist.gov/vuln/detail/CVE-2023-41916

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-41916

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-41916

EUVD