VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 6, 2024· Updated Feb 13, 2025

Apache Linkis DataSource: DataSource module Oracle SQL Database Password Logged

CVE-2023-50740

Description

In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Linkis <=1.4.0 logs Oracle database passwords in plaintext when using the DataSource module, exposing credentials to local attackers.

Overview

CVE-2023-50740 affects Apache Linkis versions up to and including 1.4.0. The vulnerability occurs in the DataSource module when an Oracle data source is configured. The plaintext password for the Oracle database connection is written to the application logs, allowing anyone with access to the log files to obtain the credential [1][4]. The root cause is the inclusion of the password in log statements during the data source creation or connection process, without proper sanitization or masking.

Exploitation

To exploit this issue, an attacker must have local access to the system where Linkis logs are stored, or must be able to access the logs through other means (e.g., a log aggregation system). No authentication to the Linkis web interface is required beyond the ability to retrieve or view the log files. Once the logs are accessed, the Oracle database password can be read directly from the logged text [2][4]. The attack complexity is low, and the prerequisites are minimal if logs are not adequately protected.

Impact

A successful attacker gains the Oracle database password, which may be reused across other systems or used to access, modify, or exfiltrate data stored in the Oracle database. The confidentiality impact is high, while integrity and availability are not directly affected by the logging itself. The CVSS v3.1 base score is 5.5 (Medium), reflecting the requirement for local access and the high value of the credential [3].

Mitigation

Apache Linkis has fixed the issue in version 1.5.0. Users are strongly advised to upgrade to Linkis 1.5.0 or later [1][2][4]. As an interim measure, administrators should ensure that log files are stored with strict file permissions and are not accessible to unauthorized users. Additionally, log rotation and monitoring can help detect unauthorized access to log contents.

References
  1. GitHub - apache/linkis: Apache Linkis builds a computation middleware layer to facilitate connection, governance and orchestration between the upper applications and the underlying data engines.
  2. remove unnecessary log print · apache/linkis@08cbcfc
  3. NVD - CVE-2023-50740
  4. security - CVE-2023-50740: Apache Linkis DataSource: DataSource module Oracle SQL Database Password Logged

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.linkis:linkisMaven
< 1.5.01.5.0

Affected products

2

Patches

1
08cbcfca140a

remove unnecessary log print

https://github.com/apache/linkispeacewongDec 13, 2023via ghsa
commit
8 files changed · +10 19
  • .github/workflows/publish-snapshot.yml+1 1 modified
    @@ -29,7 +29,7 @@ jobs:
       fail-fast: false
       matrix:
         branch:
-          - dev-1.4.0
+          - dev-1.5.0
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
  • linkis-computation-governance/linkis-manager/linkis-application-manager/src/main/java/org/apache/linkis/manager/am/restful/ECResourceInfoRestfulApi.java+1 2 modified
    @@ -237,8 +237,7 @@ public Message queryEcList(HttpServletRequest req, @RequestBody JsonNode jsonNod
     // check special admin token
     if (StringUtils.isNotBlank(token)) {
       if (!Configuration.isAdminToken(token)) {
-        logger.warn("Token:{} has no permission to query ecList.", token);
-        return Message.error("Token:" + token + " has no permission to query ecList.");
+        return Message.error("Token has no permission to query ecList.");
       }
     } else if (!Configuration.isAdmin(username)) {
       logger.warn("User:{} has no permission to query ecList.", username);
  • linkis-computation-governance/linkis-manager/linkis-application-manager/src/main/java/org/apache/linkis/manager/am/restful/EngineRestfulApi.java+1 2 modified
    @@ -479,8 +479,7 @@ public Message killEngineAsyn(HttpServletRequest req, @RequestBody JsonNode json
     // check special token
     if (StringUtils.isNotBlank(token)) {
       if (!Configuration.isAdminToken(token)) {
-        logger.warn("Token {} has no permission to asyn kill engines.", token);
-        return Message.error("Token:" + token + " has no permission to asyn kill engines.");
+        return Message.error("Token  has no permission to asyn kill engines.");
       }
     } else if (!Configuration.isAdmin(username)) {
       logger.warn("User {} has no permission to asyn kill engines.", username);
  • linkis-dist/deploy-config/linkis-env.sh+1 1 modified
    @@ -167,7 +167,7 @@ export SERVER_HEAP_SIZE="512M"
 ##The extended lib such mysql-connector-java-*.jar
 #LINKIS_EXTENDED_LIB=/appcom/common/linkisExtendedLib
 
-LINKIS_VERSION=1.4.0
+LINKIS_VERSION=1.5.0
 
 # for install
 LINKIS_PUBLIC_MODULE=lib/linkis-commons/public-module
  • linkis-engineconn-plugins/spark/src/main/scala/org/apache/linkis/engineplugin/spark/executor/SQLSession.scala+1 0 modified
    @@ -69,6 +69,7 @@ object SQLSession extends Logging {
         "Spark application sc has already stopped, please restart it."
       )
     }
+
     val startTime = System.currentTimeMillis()
     //    sc.setJobGroup(jobGroup, "Get IDE-SQL Results.", false)
  • linkis-public-enhancements/linkis-configuration/src/main/java/org/apache/linkis/configuration/restful/api/TemplateManagerRestfulApi.java+3 6 modified
    @@ -86,8 +86,7 @@ public Message updateKeyMapping(HttpServletRequest req, @RequestBody JsonNode js
     // check special admin token
     if (StringUtils.isNotBlank(token)) {
       if (!Configuration.isAdminToken(token)) {
-        logger.warn("Token:{} has no permission to updateKeyMapping.", token);
-        return Message.error("Token:" + token + " has no permission to updateKeyMapping.");
+        return Message.error("Token has no permission to updateKeyMapping.");
       }
     } else if (!Configuration.isAdmin(username)) {
       logger.warn("User:{} has no permission to updateKeyMapping.", username);
@@ -160,8 +159,7 @@ public Message queryKeyInfoList(HttpServletRequest req, @RequestBody JsonNode js
     // check special admin token
     if (StringUtils.isNotBlank(token)) {
       if (!Configuration.isAdminToken(token)) {
-        logger.warn("Token:{} has no permission to queryKeyInfoList.", token);
-        return Message.error("Token:" + token + " has no permission to queryKeyInfoList.");
+        return Message.error("Token has no permission to queryKeyInfoList.");
       }
     } else if (!Configuration.isAdmin(username)) {
       logger.warn("User:{} has no permission to queryKeyInfoList.", username);
@@ -212,8 +210,7 @@ public Message apply(HttpServletRequest req, @RequestBody JsonNode jsonNode)
     // check special admin token
     if (StringUtils.isNotBlank(token)) {
       if (!Configuration.isAdminToken(token)) {
-        logger.warn("Token:{} has no permission to apply.", token);
-        return Message.error("Token:" + token + " has no permission to apply.");
+        return Message.error("Token has no permission to apply.");
       }
     } else if (!Configuration.isAdmin(username)) {
       logger.warn("User:{} has no permission to apply.", username);
  • linkis-public-enhancements/linkis-datasource/linkis-datasource-manager/service/jdbc/src/main/java/org/apache/linkis/metadata/query/service/OracleMetaService.java+1 2 modified
    @@ -74,11 +74,10 @@ public MetadataConnection<SqlConnection> getConnection(
     assert extraParams != null;
     LOG.info("oracle connection params:{}", params.toString());
     LOG.info(
-        "oracle connection host:{},port:{},username:{},password:{},database:{}",
+        "oracle connection host:{},port:{},username:{},database:{}",
         host,
         port,
         username,
-        password,
         database);
     return new MetadataConnection<>(
         new SqlConnection(host, port, username, password, database, serviceName, extraParams));
  • linkis-public-enhancements/linkis-datasource/linkis-datasource-manager/service/mongodb/src/main/java/org/apache/linkis/metadata/query/service/MongoDbConnection.java+1 5 modified
    @@ -177,11 +177,7 @@ public void close() throws IOException {
   private MongoClient getDBConnection(ConnectMessage connectMessage, String database)
       throws Exception {
 
-    LOG.info(
-        "mongo information is database:{}, username:{}, passwordd:{} ",
-        database,
-        connectMessage.username,
-        connectMessage.password);
+    LOG.info("mongo information is database:{}, username:{}", database, connectMessage.username);
 
     MongoClient client = null;
     try {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.