CVE-2023-29215 — Apache Linkis JDBC EngineConn has deserialization vulnerability

Description

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EngineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Users should upgrade their version of Linkis to version 1.3.2.

How to fix CVE-2023-29215

To remediate CVE-2023-29215, upgrade the affected package to a fixed version below.

—upgrade to 1.3.2 or later

Is CVE-2023-29215 being exploited?

Low — EPSS is 4.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-29215
PATCHgithub.com/apache/linkis
WEBgithub.com/apache/linkis/commit/7005c01d7f7bca78322447f4f2f32b8398645687
WEBlinkis.apache.org/download/release-notes-1.3.2
WEB