Department

**Name of the Vulnerable Software and Affected Versions** Apache Linkis versions prior to 1.3.1 **Description** The issue is related to insufficient protection of service data when handling the `allowLoadLocalInfile` parameter with a value of true in the MySQL Connector/J component of Apache Linkis. This could allow a remote attacker to read arbitrary local files by connecting a rogue MySQL server and adding `allowLoadLocalInfile` to true in the JDBC parameter. The parameters in the JDBC URL should be blacklisted to prevent exploitation. **Recommendations** For Apache Linkis versions prior to 1.3.1, upgrade the version of Linkis to version 1.3.1 to resolve the issue. As a temporary workaround, consider blacklisting the parameters in the JDBC URL, specifically the `allowLoadLocalInfile` parameter, to minimize the risk of exploitation. Restrict access to the MySQL Connector/J component to prevent attackers from connecting a rogue MySQL server.

**Name of the Vulnerable Software and Affected Versions** Apache Linkis versions 1.3.0 and earlier **Description** A deserialization vulnerability exists in Apache Linkis when used with the MySQL Connector/J, allowing for possible remote code execution impact. This occurs when an attacker has write access to a database and configures a new datasource with a MySQL data source and malicious parameters. The parameters in the jdbc url should be blacklisted to prevent exploitation. **Recommendations** For Apache Linkis versions 1.3.0 and earlier, upgrade to version 1.3.1 to resolve the issue. As a temporary workaround, consider blacklisting malicious parameters in the jdbc url to minimize the risk of exploitation. Restrict access to the MySQL Connector/J to prevent attackers from configuring new datasources with malicious parameters.