CVE-2023-49198

Name of the Vulnerable Software and Affected Versions Apache SeaTunnel version 1.0.0

Description A security issue in Apache SeaTunnel allows attackers to read files on the MySQL server by modifying the information in the MySQL URL. The issue can be exploited by setting specific parameters in the MySQL URL, such as allowLoadLocalInfile=true, allowUrlInLocalInfile=true, allowLoadLocalInfileInPath=/, and maxAllowedPacket=655360. This allows for arbitrary file read vulnerability.

Recommendations For Apache SeaTunnel version 1.0.0, upgrade to version 1.0.1, which fixes the issue. As a temporary workaround, consider restricting access to the MySQL URL handler to minimize the risk of exploitation. Avoid using the parameters allowLoadLocalInfile, allowUrlInLocalInfile, allowLoadLocalInfileInPath, and maxAllowedPacket in the affected API endpoint until the issue is resolved.