CVE-2023-29215

Name of the Vulnerable Software and Affected Versions Apache Linkis versions 1.3.0 through 1.3.1

Description The issue is related to the lack of effective filtering of parameters in Apache Linkis, which can lead to a deserialization vulnerability. This vulnerability can be triggered by an attacker configuring malicious Mysql JDBC parameters in the JDBC EngineConn Module, resulting in remote code execution. The parameters in the Mysql JDBC URL should be blacklisted to prevent exploitation.

Recommendations For Apache Linkis versions 1.3.0 through 1.3.1, upgrade the version of Linkis to version 1.3.2 to resolve the issue. As a temporary workaround, consider blacklisting the parameters in the Mysql JDBC URL to minimize the risk of exploitation. Restrict access to the JDBC EngineConn Module to prevent malicious configuration of Mysql JDBC parameters.