CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-45627: Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability

Description

In Apache Linkis <1.7.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will

allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.7.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.7.0.

Classification

CVE ID: CVE-2024-45627

Affected Products

Vendor: Apache Software Foundation

Product: Apache Linkis Metadata Query Service JDBC

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-12 (when was this score calculated)

References

https://lists.apache.org/thread/0zzx8lldwoqgzq98mg61hojgpvn76xsh

Timeline

2025-01-14 21:15:16 UTC
Github Advisory Database (Maven)

[org.apache.linkis:linkis-metadata-query-service-jdbc] Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read v...
2025-01-15 00:30:27 UTC
CVE

Apache Linkis Metadata Query Service JDBC: JDBC Datasource Module with Mysql has file read vulnerability