Apache Linkis publicsercice module unrestricted upload of file
Description
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.
We recommend users upgrade the version of Linkis to version 1.3.2.
For versions
<=1.3.1, we suggest turning on the file path check switch in linkis.properties
wds.linkis.workspace.filesystem.owner.check=true wds.linkis.workspace.filesystem.path.check=true
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Linkis <=1.3.1 PublicService module allows unrestricted file upload, leading to arbitrary file write.
Vulnerability
Overview
CVE-2023-27602 affects Apache Linkis versions up to and including 1.3.1. The PublicService module lacks proper restrictions on the path and file types of uploaded files, enabling an attacker to upload files to arbitrary locations within the system [1].
Exploitation
An attacker with network access to the Linkis PublicService endpoint can exploit this vulnerability by crafting a file upload request without the necessary path validation. No authentication is required to trigger the upload functionality, as the module does not enforce proper checks on the destination path or file extension [1].
Impact
Successful exploitation allows an attacker to place arbitrary files anywhere on the filesystem that the Linkis service has write permissions. This could lead to remote code execution if a malicious file (e.g., a web shell or a configuration override) is written to a location that is later executed or interpreted by the application or system [1][2]. The vulnerability is considered critical because of the potential for full system compromise.
Mitigation
Users should upgrade to Apache Linkis version 1.3.2 or later, which addresses the issue. For deployments that cannot immediately upgrade, administrators can enable file path validation by setting the properties wds.linkis.workspace.filesystem.owner.check=true and wds.linkis.workspace.filesystem.path.check=true in the linkis.properties configuration file [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.linkis:linkisMaven | < 1.3.2 | 1.3.2 |
Affected products
2- Apache Software Foundation/Apache Linkisv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-x84r-jrqm-3hj8ghsaADVISORY
- lists.apache.org/thread/wt70jfc0yfs6s5g0wg5dr5klnc48nsp1ghsamailing-listvendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-27602ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/04/10/1ghsaWEB
- www.openwall.com/lists/oss-security/2023/04/18/4ghsaWEB
- www.openwall.com/lists/oss-security/2023/04/19/3ghsaWEB
News mentions
0No linked articles in our index yet.