CVE-2024-45627

Name of the Vulnerable Software and Affected Versions: Apache Linkis versions prior to 1.7.0

Description: In Apache Linkis, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. The parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.

Recommendations: For Apache Linkis versions prior to 1.7.0, we recommend upgrading the version of Linkis to version 1.7.0. As a temporary workaround, consider blacklisting the parameters in the Mysql JDBC URL to minimize the risk of exploitation. Restrict access to the DataSource Manager Module to minimize the risk of exploitation. Avoid using malicious Mysql JDBC parameters in the DataSource Manager Module until the issue is resolved.