CVE-2024-39928

CWE-3264 documents4 sources

Severity

7.5HIGH

EPSS

0.2%

top 63.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Linkis Spark Engineconn Apache Linkis

Timeline

PublishedSep 25

Description

In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5apache_software_foundation/apache_linkis_spark_engineconn1.3.0 — 1.6.0

▶Mavenorg.apache.linkis:linkis-engineplugin-spark< 1.6.0

▶NVDapache/linkis1.3.0 — 1.6.0

🔴Vulnerability Details

OSV

Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability↗2024-09-25

▶

GHSA

Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability↗2024-09-25

▶

CVEList

Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability↗2024-09-24

▶