CVE-2022-44644

Name of the Vulnerable Software and Affected Versions Apache Linkis versions prior to 1.3.1

Description The issue is related to insufficient protection of service data when handling the allowLoadLocalInfile parameter with a value of true in the MySQL Connector/J component of Apache Linkis. This could allow a remote attacker to read arbitrary local files by connecting a rogue MySQL server and adding allowLoadLocalInfile to true in the JDBC parameter. The parameters in the JDBC URL should be blacklisted to prevent exploitation.

Recommendations For Apache Linkis versions prior to 1.3.1, upgrade the version of Linkis to version 1.3.1 to resolve the issue. As a temporary workaround, consider blacklisting the parameters in the JDBC URL, specifically the allowLoadLocalInfile parameter, to minimize the risk of exploitation. Restrict access to the MySQL Connector/J component to prevent attackers from connecting a rogue MySQL server.