Files or Directories Accessible to External Parties

CVE-2023-41916

Medium

6.5/10

Summary

In Apache Linkis version 1.4.0 through 1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious MySQL JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the MySQL JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-552 - Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References

Advisory
Mail Thread
Release Note

Advisory Timeline

Published Jul 15, 2024

Files or Directories Accessible to External Parties

CVE-2023-41916

Summary

CWE-552 - Files or Directories Accessible to External Parties

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS