CVE-2025-29847

Name of the Vulnerable Software and Affected Versions Apache Linkis versions 1.3.0 through 1.7.0

Description A flaw exists in Apache Linkis when utilizing the JDBC engine and data source functionality. Multiple rounds of URL encoding applied to the URL parameter configured on the frontend can circumvent system checks. This bypass may enable unauthorized access to system files through JDBC parameters. The issue is related to insufficient validation of connection information, specifically regarding the presence of the '%' character.

Recommendations Upgrade to version 1.8.0, which addresses this issue. Continuously check if the connection information contains the "%" character and perform URL decoding if it does.