Files or Directories Accessible to External Parties

CVE-2024-45627

Medium

5.9/10

Summary

In Apache Linkis, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. This issue affects versions 1.5.0 through 1.6.0.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-552 - Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References

Advisory
Mail Thread
Pull request

Advisory Timeline

Published Jan 14, 2025

Files or Directories Accessible to External Parties

CVE-2024-45627

Summary

CWE-552 - Files or Directories Accessible to External Parties

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS