org.apache.linkis:linkis-engineplugin-jdbc@1.1.2 vulnerabilities

  • latest version

    1.6.0

  • latest non vulnerable version

  • first published

    2 years ago

  • latest version published

    5 months ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the org.apache.linkis:linkis-engineplugin-jdbc package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Deserialization of Untrusted Data

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the parameters not being effectively filtered, allowing an attacker to use the MySQL data source and malicious parameters to configure a new data source and trigger the vulnerability.

    How to fix Deserialization of Untrusted Data?

    Upgrade org.apache.linkis:linkis-engineplugin-jdbc to version 1.3.2 or higher.

    [,1.3.2)
    • C
    Deserialization of Untrusted Data

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the JDBC EengineConn Module when configuring Mysql JDBC parameters. This can lead to remote code execution.

    How to fix Deserialization of Untrusted Data?

    Upgrade org.apache.linkis:linkis-engineplugin-jdbc to version 1.3.2 or higher.

    [,1.3.2)
    • H
    Remote Code Execution (RCE)

    Affected versions of this package are vulnerable to Remote Code Execution (RCE) when used in conjunction with the MySQL Connector/J. An attacker with write access to a database can configure a JDBC EC with a MySQL data source and malicious parameters.

    Note

    The parameters in the jdbc url should be blacklisted.

    How to fix Remote Code Execution (RCE)?

    Upgrade org.apache.linkis:linkis-engineplugin-jdbc to version 1.3.0 or higher.

    [,1.3.0)