// For flags

CVE-2023-49566

Apache Linkis DataSource: JDBC Datasource Module with DB2 has JNDI Injection vulnerability

Severity Score

"-"
*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In Apache Linkis <=1.5.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious

db2

parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted. 

This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.

Versions of Apache Linkis

<=1.5.0

will be affected.
We recommend users upgrade the version of Linkis to version 1.6.0.

En Apache Linkis &lt;= 1.5.0, debido a la falta de un filtrado efectivo de parámetros, un atacante que configure parámetros db2 maliciosos en el módulo DataSource Manager resultará en una inyección de jndi. Por lo tanto, los parámetros en la URL de DB2 deben estar en la lista negra. Este ataque requiere que el atacante obtenga una cuenta autorizada de Linkis antes de poder llevarse a cabo. Las versiones de Apache Linkis &lt;=1.5.0 se verán afectadas. Recomendamos a los usuarios actualizar la versión de Linkis a la versión 1.6.0.

*Credits: Joyh, L0ne1y
CVSS Scores
Attack Vector
-
Attack Complexity
-
Privileges Required
-
User Interaction
-
Scope
-
Confidentiality
-
Integrity
-
Availability
-
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-11-27 CVE Reserved
  • 2024-07-15 CVE Published
  • 2024-08-17 EPSS Updated
  • 2024-09-13 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-502: Deserialization of Untrusted Data
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://lists.apache.org/thread/t68yy52lmv7pxgrxnq6rw7rwvk9tb1xj 2024-07-15
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache Software Foundation
Search vendor "Apache Software Foundation"
 Apache Linkis DataSource
Search vendor "Apache Software Foundation" for product "Apache Linkis DataSource"
 < 1.6.0
Search vendor "Apache Software Foundation" for product "Apache Linkis DataSource" and version " < 1.6.0"
en
Affected