Apache Linkis Basic management services: Engine material management Arbitrary file deletion vulnerability
Description
In Apache Linkis <= 1.5.0,
Arbitrary file deletion in Basic management services on
A user with an administrator account could delete any file accessible by the Linkis system user
. Users are recommended to upgrade to version 1.6.0, which fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Linkis <= 1.5.0 allows admin users to delete any file accessible by the Linkis system user via the Basic management services.
Vulnerability
Description
CVE-2024-27182 is an arbitrary file deletion vulnerability in the Basic management services component of Apache Linkis, specifically affecting the engine material management functionality [1]. Versions up to and including 1.5.0 are vulnerable. The root cause lies in insufficient access control checks within the Basic management service, allowing a user with administrative privileges to delete any file that the Linkis system user can access [2].
Exploitation
To exploit this vulnerability, an attacker must have a valid administrator account on the Apache Linkis instance [3]. No other network position or authentication bypass is required; the attacker simply leverages their administrative access to the Basic management services. The attack can be performed remotely, deleting files outside the intended scope of the management interface.
Impact
A successful exploit allows an attacker to delete arbitrary files on the server running Linkis, limited only by the file system permissions of the Linkis system user [2]. This could lead to deletion of configuration files, application data, or critical system files, potentially causing denial of service, data loss, or further compromise of the host system.
Mitigation
The vulnerability is fixed in Apache Linkis version 1.6.0 [3]. Users are strongly recommended to upgrade to this version or later. No workarounds have been provided for older versions; administrators should restrict access to admin accounts as a temporary mitigation.
- GitHub - apache/linkis: Apache Linkis builds a computation middleware layer to facilitate connection, governance and orchestration between the upper applications and the underlying data engines.
- NVD - CVE-2024-27182
- security - CVE-2024-27182: Apache Linkis Basic management services: Engine material management Arbitrary file deletion vulnerability
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.linkis:linkisMaven | < 1.6.0 | 1.6.0 |
Affected products
2- Apache Software Foundation/Apache Linkis Basic management servicesv5Range: 1.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-j6vx-r77h-44wcghsaADVISORY
- lists.apache.org/thread/2of1p433h8rbq2bx525rtftnk19oz38hghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-27182ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/08/02/4ghsaWEB
News mentions
0No linked articles in our index yet.