Apache Linkis (incubating): The DatasourceManager module has a Local File Read Vulnerability
Description
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.3.1
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Linkis <=1.3.0 allows authenticated attackers to read arbitrary files via a rogue MySQL server by enabling allowLoadLocalInfile in JDBC URL.
Vulnerability
Overview
CVE-2022-44644 affects Apache Linkis versions up to and including 1.3.0 when used with the MySQL Connector/J in the data source module. The root cause is that the JDBC URL parameters are not properly blacklisted, allowing an authenticated attacker to set allowLoadLocalInfile=true. This enables the MySQL client to read arbitrary local files from the Linkis server when connecting to a rogue MySQL server [2].
Exploitation
An attacker must first authenticate to the Linkis instance. They then craft a JDBC connection string that includes the allowLoadLocalInfile=true parameter and points to a malicious MySQL server they control. When Linkis establishes the connection, the MySQL Connector/J client will, by default, attempt to load local files specified by the rogue server, thus exfiltrating sensitive data from the Linkis host [2].
Impact
Successful exploitation allows the attacker to read arbitrary files from the Linkis server's filesystem, potentially exposing configuration files, credentials, or other sensitive information. This could lead to further compromise of the system or data breach [2].
Mitigation
The Apache Linkis project has addressed this vulnerability in version 1.3.1 by blacklisting dangerous JDBC parameters. Users are strongly recommended to upgrade to Linkis 1.3.1 or later [1][2]. No workarounds are documented; upgrading is the only reliable fix.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.linkis:linkisMaven | < 1.3.1 | 1.3.1 |
Affected products
2- Apache Software Foundation/Apache Linkis (incubating)v5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-rx76-xw35-6rh8ghsaADVISORY
- lists.apache.org/thread/hwq9ytq6y1kdh9lz5znptkcrdll9x85hghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-44644ghsaADVISORY
News mentions
0No linked articles in our index yet.