CVE-2023-41916 : In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, a

In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected. We recommend users upgrade the version of Linkis to version 1.5.0.

Published 2024-07-15 07:53:58

Updated 2025-03-14 16:15:27

Source Apache Software Foundation

View at NVD, CVE.org

Products affected by CVE-2023-41916

Apache » Linkis
Versions from including (>=) 1.4.0 and before (<) 1.6.0
cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*
Matching versions
Apache » Linkis
Versions from including (>=) 1.4.0 and before (<) 1.5.0
cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-41916

EPSS FAQ

0.25%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 49 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-41916

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-03-14
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	NIST	2024-07-16
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-41916

CWE-552 Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.
Assigned by:
- f0158376-9dc2-43b6-827c-5f631a4d8d09 (Primary)
- security@apache.org (Secondary)

References for CVE-2023-41916

http://www.openwall.com/lists/oss-security/2024/07/13/4

oss-security - CVE-2023-41916: Apache Linkis DataSource: DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading
https://lists.apache.org/thread/dxkpwyoxy1jpdwlpqp15zvo0jxn4v729

CVE-2023-41916: Apache Linkis DataSource: DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading-Apache Mail Archives
Mailing List;Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-41916

Products affected by CVE-2023-41916

Exploit prediction scoring system (EPSS) score for CVE-2023-41916

CVSS scores for CVE-2023-41916

CWE ids for CVE-2023-41916

References for CVE-2023-41916