Apache

Linkis

18 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2025-59355

  • EPSS 0.05%
  • Veröffentlicht 19.01.2026 08:37:24
  • Zuletzt bearbeitet 27.01.2026 21:11:27

A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitiv...

7.5

CVE-2025-29847

  • EPSS 0.13%
  • Veröffentlicht 19.01.2026 08:36:06
  • Zuletzt bearbeitet 27.01.2026 21:12:41

A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may b...

5.9

CVE-2024-45627

  • EPSS 0.08%
  • Veröffentlicht 14.01.2025 17:15:17
  • Zuletzt bearbeitet 13.05.2025 21:32:24

In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefor...

7.5

CVE-2024-39928

  • EPSS 0.12%
  • Veröffentlicht 25.09.2024 01:15:40
  • Zuletzt bearbeitet 16.05.2025 20:27:25

In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes t...

4.9

CVE-2024-27182

  • EPSS 0.23%
  • Veröffentlicht 02.08.2024 10:16:00
  • Zuletzt bearbeitet 27.03.2025 16:15:22

In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Users are recommended to upgrade to version 1.6.0, which fixes th...

8.8

CVE-2024-27181

  • EPSS 0.34%
  • Veröffentlicht 02.08.2024 10:15:59
  • Zuletzt bearbeitet 03.06.2025 21:22:14

In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue.

6.5

CVE-2023-41916

  • EPSS 0.23%
  • Veröffentlicht 15.07.2024 08:15:02
  • Zuletzt bearbeitet 14.03.2025 16:15:27

In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC ...

8.8

CVE-2023-49566

  • EPSS 0.53%
  • Veröffentlicht 15.07.2024 08:15:02
  • Zuletzt bearbeitet 27.03.2025 16:15:20

In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be b...

8.8

CVE-2023-46801

  • EPSS 3.95%
  • Veröffentlicht 15.07.2024 08:15:02
  • Zuletzt bearbeitet 21.11.2024 08:29:20

In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files int...

5.3

CVE-2023-50740

  • EPSS 0.21%
  • Veröffentlicht 06.03.2024 14:15:47
  • Zuletzt bearbeitet 07.05.2025 15:46:18

In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module.  We recommend users upgrade the version of Linkis to version 1.5.0