CVE-2022-44645

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

8.8HIGH

EPSS

2.6%

top 14.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Linkis (incubating)Apache Linkis

Timeline

PublishedJan 31

Description

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users to upgrade the version of Linkis to version 1.3.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.linkis:linkis< 1.3.1

▶NVDapache/linkis1.3.0

▶CVEListV5apache_software_foundation/apache_linkis_(incubating)1.3.0

🔴Vulnerability Details

GHSA

Apache Linkis contains Deserialization of Untrusted Data↗2023-01-31

▶

OSV

Apache Linkis contains Deserialization of Untrusted Data↗2023-01-31

▶

CVEList

Apache Linkis (incubating): The DatasourceManager module has a serialization attack vulnerability↗2023-01-31

▶