CVE-2024-45627
Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability
描述
# Affected versions: - Apache Linkis Metadata Query Service JDBC 1.5.0 before 1.7.0 # Description: In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.6.0 will be affected. We recommend users upgrade the version of Linkis to version 1.7.0.
如何修補 CVE-2024-45627
要修補 CVE-2024-45627,請將受影響套件升級到下列已修補版本。
- —升級至 1.7.0 或更新版本
CVE-2024-45627 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 1.5.0, < 1.7.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |