CVE-2023-29215 — Apache Linkis JDBC EngineConn has deserialization vulnerability

描述

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EngineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Users should upgrade their version of Linkis to version 1.3.2.

如何修補 CVE-2023-29215

要修補 CVE-2023-29215,請將受影響套件升級到下列已修補版本。

—升級至 1.3.2 或更新版本

CVE-2023-29215 正在被利用嗎?

低 — EPSS 為 4.9%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 1.3.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-29215
PATCHgithub.com/apache/linkis
WEBgithub.com/apache/linkis/commit/7005c01d7f7bca78322447f4f2f32b8398645687
WEBlinkis.apache.org/download/release-notes-1.3.2
WEB