CVE-2022-39944

HIGH8.8EPSS 1.4%

Apache Linkis subject to Remote Code Execution via deserialization

Published: 10/26/2022Modified: 11/8/2023

Description

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. This issue is patched in version 1.3.0, and users are recommended to upgrade.

Affected packages (1)

Maven/org.apache.linkis:linkisfrom 0, < 1.3.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-39944
PATCHhttps://github.com/apache/incubator-linkis
WEBhttps://lists.apache.org/thread/rxytj48q17304snonjtyt5lnlw64gccc