Joyh

**Name of the Vulnerable Software and Affected Versions** Apache SeaTunnel version 1.0.0 **Description** The issue is related to a Web Authentication vulnerability in Apache SeaTunnel, where the jwt key is hardcoded in the application. This allows an attacker to forge any token and log in as any user. The attacker can obtain the secret key from `/seatunnel-server/seatunnel-app/src/main/resources/application.yml` and then create a token. **Recommendations** For Apache SeaTunnel version 1.0.0, users are recommended to upgrade to version 1.0.1, which fixes the issue. As a temporary workaround, consider restricting access to the `/seatunnel-server/seatunnel-app/src/main/resources/application.yml` file to prevent attackers from obtaining the secret key.

Name of the Vulnerable Software and Affected Versions: Apache Linkis versions <=1.5.0 Description: The issue is related to the lack of effective filtering of parameters in the DataSource Manager Module of Apache Linkis. This allows an attacker to configure malicious `db2` parameters, resulting in jndi injection. The attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Recommendations: For Apache Linkis versions <=1.5.0, upgrade the version of Linkis to version 1.6.0. As a temporary workaround, consider blacklisting the parameters in the DB2 URL to minimize the risk of exploitation. Restrict access to the DataSource Manager Module to authorized accounts only.