Описание
Apache Linkis subject to Remote Code Execution via deserialization
In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. This issue is patched in version 1.3.0, and users are recommended to upgrade.
Пакеты
org.apache.linkis:linkis
< 1.3.0
1.3.0
Связанные уязвимости
In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0.
Уязвимость программного средства соединения, управления и оркестрации приложений Apache Linkis, связана с восстановлением в памяти недостоверных данных, позволяющая нарушителю выполнить произвольный код