org.apache.linkis:linkis-common@1.3.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.linkis:linkis-common package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Incorrect Permission Assignment for Critical Resource

org.apache.linkis:linkis-common is a module that builds a computation middleware layer to facilitate connection, governance and orchestration between the upper applications and the underlying data engines.

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource. An attacker can gain unauthorized access to the Token information and escalate privileges by exploiting this vulnerability.

Note:

This is only exploitable if the attacker has initial access as a trusted user.

How to fix Incorrect Permission Assignment for Critical Resource?

Upgrade org.apache.linkis:linkis-common to version 1.6.0 or higher.

[,1.6.0)
  • H
Deserialization of Untrusted Data

org.apache.linkis:linkis-common is a module that builds a computation middleware layer to facilitate connection, governance and orchestration between the upper applications and the underlying data engines.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the data source management module when adding a Mysql data source. An attacker can inject and execute malicious files on the server by exploiting the deserialization vulnerability via jrmp. This is only exploitable if the attacker has obtained an authorized account from Linkis.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.linkis:linkis-common to version 1.6.0 or higher.

[,1.6.0)
  • H
Deserialization of Untrusted Data

org.apache.linkis:linkis-common is a module that builds a computation middleware layer to facilitate connection, governance and orchestration between the upper applications and the underlying data engines.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the lack of effective filtering of db2 parameters. An attacker can execute unauthorized code or commands by configuring malicious db2 parameters in the DataSource Manager Module. This is only exploitable if the attacker obtains an authorized account from Linkis.

Exploiting this vulnerability could result in arbitrary file reading.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.linkis:linkis-common to version 1.6.0 or higher.

[,1.6.0)