5.9

CVE-2024-45627

EPSS 0.05%
Veröffentlicht 14.01.2025 17:15:17
Zuletzt bearbeitet 13.05.2025 21:32:24
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability

In Apache Linkis <1.7.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will 

allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.7.0 will be affected. 
We recommend users upgrade the version of Linkis to version 1.7.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Linkis Version < 1.7.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.166

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.9	2.5	3.4	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-552 Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

https://lists.apache.org/thread/0zzx8lldwoqgzq98mg61hojgpvn76xsh

Vendor Advisory

http://www.openwall.com/lists/oss-security/2025/01/14/1

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2024-45627

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45627

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45627

EUVD