CVE-2023-41916

Name of the Vulnerable Software and Affected Versions: Apache Linkis version 1.4.0

Description: The issue is related to the lack of effective filtering of parameters in the DataSource Manager Module of Apache Linkis, allowing an attacker to configure malicious Mysql JDBC parameters and trigger arbitrary file reading. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. The parameters in the Mysql JDBC URL should be blacklisted to prevent exploitation.

Recommendations: For Apache Linkis version 1.4.0, we recommend upgrading to version 1.5.0 to resolve the issue. As a temporary workaround, consider blacklisting the parameters in the Mysql JDBC URL to minimize the risk of exploitation. Restrict access to the DataSource Manager Module to authorized accounts only.