CVE-2023-29215

CVE-2023-29215: Apache Linkis JDBC EngineCon has a deserialization command execution

Vendor Apache Software Foundation

Product Apache Linkis

Weakness CWE-502 · Unsafe deserialization

Published April 10, 2023

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.2.

Key dates

Disclosure timeline

April 10, 2023 CVE published

February 13, 2025 Record updated