CVE-2024-39928
Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability
7.5
HIGH
CVSS 3.1
EPSS 0.16%
Description
In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue.
How to fix CVE-2024-39928
To remediate CVE-2024-39928, upgrade the affected package to a fixed version below.
- —upgrade to 1.6.0 or later
Is CVE-2024-39928 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.6.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |