CVE-2022-39944

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
8.8HIGH
EPSS
1.4%
top 19.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache LinkisApache Linkis
Timeline
PublishedOct 26

Description

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

NVDapache/linkis1.2.0
CVEListV5apache_software_foundation/apache_linkisApache Linkis1.2.0

🔴Vulnerability Details

3
CVEList
The Apache Linkis JDBC EngineConn module has a RCE Vulnerability2022-10-26
GHSA
Apache Linkis subject to Remote Code Execution via deserialization2022-10-26
OSV
Apache Linkis subject to Remote Code Execution via deserialization2022-10-26
CVE-2022-39944 (HIGH CVSS 8.8) | In Apache Linkis <=1.2.0 when used | cvebase.io