Maven package
org.apache.linkis/linkis
pkg:maven/org.apache.linkis/linkis
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-29847 | — | >= 1.3.0, < 1.8.0 | 1.8.0 | Jan 19, 2026 | A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. Thi | ||
| CVE-2024-27182 | — | < 1.6.0 | 1.6.0 | Aug 2, 2024 | In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Users are recommended to upgrade to version 1.6.0, which fixes this issue. | ||
| CVE-2024-27181 | — | < 1.6.0 | 1.6.0 | Aug 2, 2024 | In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue. | ||
| CVE-2023-50740 | — | < 1.5.0 | 1.5.0 | Mar 6, 2024 | In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0 | ||
| CVE-2023-27987 | — | < 1.3.2 | 1.3.2 | Apr 10, 2023 | In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to ver | ||
| CVE-2023-27603 | — | < 1.3.2 | 1.3.2 | Apr 10, 2023 | In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. We recommend users upgrade the version of Linkis to version 1.3.2. | ||
| CVE-2023-27602 | — | < 1.3.2 | 1.3.2 | Apr 10, 2023 | In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch | ||
| CVE-2022-44644 | — | < 1.3.1 | 1.3.1 | Jan 31, 2023 | In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the J | ||
| CVE-2022-44645 | — | < 1.3.1 | 1.3.1 | Jan 31, 2023 | In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Theref | ||
| CVE-2022-39944 | — | < 1.3.0 | 1.3.0 | Oct 26, 2022 | In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, |
- CVE-2025-29847Jan 19, 2026affected >= 1.3.0, < 1.8.0fixed 1.8.0
A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. Thi
- CVE-2024-27182Aug 2, 2024affected < 1.6.0fixed 1.6.0
In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by the Linkis system user . Users are recommended to upgrade to version 1.6.0, which fixes this issue.
- CVE-2024-27181Aug 2, 2024affected < 1.6.0fixed 1.6.0
In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue.
- CVE-2023-50740Mar 6, 2024affected < 1.5.0fixed 1.5.0
In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade the version of Linkis to version 1.5.0
- CVE-2023-27987Apr 10, 2023affected < 1.3.2fixed 1.3.2
In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values. We recommend users upgrade the version of Linkis to ver
- CVE-2023-27603Apr 10, 2023affected < 1.3.2fixed 1.3.2
In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability. We recommend users upgrade the version of Linkis to version 1.3.2.
- CVE-2023-27602Apr 10, 2023affected < 1.3.2fixed 1.3.2
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch
- CVE-2022-44644Jan 31, 2023affected < 1.3.1fixed 1.3.1
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the J
- CVE-2022-44645Jan 31, 2023affected < 1.3.1fixed 1.3.1
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Theref
- CVE-2022-39944Oct 26, 2022affected < 1.3.0fixed 1.3.0
In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore,