CVE-2023-49566

HIGH8.8EPSS 0.71%

Apache Linkis DataSource's JDBC Datasource Module with DB2 has JNDI Injection vulnerability

Published: 7/15/2024Modified: 3/27/2025

Description

In Apache Linkis <=1.5.0, due to the lack of effective filteringof parameters, an attacker configuring malicious `db2` parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis <=1.5.0 will be affected. We recommend users upgrade the version of Linkis to version 1.6.0.

Affected packages (1)

Maven/org.apache.linkis:linkis-datasourcefrom 0, < 1.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-49566
PATCHhttps://github.com/apache/linkis
WEBhttps://linkis.apache.org/download/release-notes-1.6.0
WEBhttps://lists.apache.org/thread/t68yy52lmv7pxgrxnq6rw7rwvk9tb1xj
WEBhttp://www.openwall.com/lists/oss-security/2024/07/13/5