Apache Linkis: Password Exposure
Description
A vulnerability.
When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.
Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 – 1.7.0
Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators.
Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed.
Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error("URL decode failed: {}", e.getMessage()); // 不再输出 str
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Linkis 1.0.0-1.7.0 leaks plaintext passwords in logs when Base64 decoding fails for Hive configuration fields.
CVE-2025-59355 is a low-severity information disclosure vulnerability in Apache Linkis, affecting versions 1.0.0 through 1.7.0. The issue resides in org.apache.linkis.metadata.util.HiveUtils.decode(), which logs the entire input parameter string when Base64 decoding fails via logger.error(str + "decode failed", e). If the parameter contains sensitive fields from hive-site.xml (e.g., javax.jdo.option.ConnectionPassword), the plaintext password is written to Error-level logs [2][3].
Exploitation requires two conditions: the configuration value must be an invalid Base64 string (which has a low probability), and log files must be readable by users other than the hive-site.xml administrators. The attack vector is local or remote depending on log access, and no authentication is explicitly required beyond log readability [2].
An attacker who can read the logs gains access to plaintext Hive Metastore passwords, potentially compromising the Hive metastore and associated data. The vulnerability is categorized as low severity because the triggering condition is unlikely and only Error-level logs expose the information [2][3].
Mitigation is available in Apache Linkis 1.8.0, which replaces the vulnerable log statement with a desensitized version. Users are strongly recommended to upgrade. Additionally, restricting log file permissions can reduce risk in unpatched environments [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.linkis:linkis-metadataMaven | >= 1.0.0, < 1.8.0 | 1.8.0 |
Affected products
2- Range: 1.0.0, 1.0.1, 1.0.2, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbjghsapatchWEB
- github.com/advisories/GHSA-6vfr-p2hx-6v32ghsaADVISORY
- lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698hghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-59355ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/09/19/1ghsaWEB
News mentions
0No linked articles in our index yet.