Apache Linkis Mangaer module engineConn material upload exists Zip Slip issue
Description
In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability.
We recommend users upgrade the version of Linkis to version 1.3.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Linkis <=1.3.1 suffers from a Zip Slip vulnerability in the Manager module's engineConn material upload, allowing potential remote code execution.
Vulnerability
CVE-2023-27603 describes a Zip Slip vulnerability in Apache Linkis versions up to and including 1.3.1. The flaw resides in the Manager module's engineConn material upload functionality, which fails to validate the paths within uploaded ZIP archives. This allows an attacker to craft a malicious ZIP file with directory traversal entries (e.g., ../), leading to arbitrary file write outside the intended extraction directory [2].
Attack
Vector
The attack is initiated by sending a specially crafted ZIP file to the Manager module's upload endpoint. No authentication is explicitly required, but the attacker must have network access to the Linkis Manager service. The Zip Slip technique exploits the lack of path normalization or validation, enabling the extracted files to be placed in arbitrary locations on the server file system [3].
Impact
Successful exploitation can result in arbitrary file write, which may be leveraged to achieve remote code execution (RCE). By overwriting critical files such as application configuration or library files, an attacker could execute arbitrary code in the context of the Linkis server process [2][3].
Mitigation
Apache Linkis has addressed this issue in version 1.3.2. Users are strongly advised to upgrade to this version or later. No official workaround is available, making patch application the primary remediation [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.linkis:linkisMaven | < 1.3.2 | 1.3.2 |
Affected products
2- Apache Software Foundation/Apache Linkisv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-pj5j-w7mw-w797ghsaADVISORY
- lists.apache.org/thread/6n1vlvnyn441rm02zdqc0wnpckj8ltn8ghsamailing-listvendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-27603ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/04/10/2ghsaWEB
News mentions
0No linked articles in our index yet.