CVE-2022-44644

CWE-20 — Improper Input Validation CWE-200 — Information Exposure CWE-312 — Cleartext Storage of Sensitive Info4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 54.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Linkis (incubating)Apache Linkis

Timeline

PublishedJan 31

Description

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.1

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.linkis:linkis< 1.3.1

▶CVEListV5apache_software_foundation/apache_linkis_(incubating)< 1.3.1

▶NVDapache/linkis1.3.0

🔴Vulnerability Details

GHSA

Apache Linkis vulnerable to Exposure of Sensitive Information↗2023-01-31

▶

OSV

Apache Linkis vulnerable to Exposure of Sensitive Information↗2023-01-31

▶

CVEList

Apache Linkis (incubating): The DatasourceManager module has a Local File Read Vulnerability↗2023-01-31

▶