CVE-2023-27987

CWE-326 CWE-2944 documents4 sources

Severity

9.1CRITICAL

EPSS

0.2%

top 64.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Linkis Apache Linkis

Timeline

PublishedApr 10

Latest updateJul 6

Description

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization[1] https://linkis.apache.org/docs/latest/auth/token https://linkis.apache.org/docs/latest/auth/token

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

▶Mavenorg.apache.linkis:linkis< 1.3.2

▶NVDapache/linkis1.3.1

▶CVEListV5apache_software_foundation/apache_linkis1.3.1

🔴Vulnerability Details

OSV

Apache Linkis Authentication Bypass vulnerability↗2023-07-06

▶

GHSA

Apache Linkis Authentication Bypass vulnerability↗2023-07-06

▶

CVEList

Apache Linkis gateway module token authentication bypass↗2023-04-10

▶