Apache Linkis security advisories

Security information for Apache Linkis

Reporting

Do you want disclose a potential security issue for Apache Linkis? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Password Exposure

CVE-2025-59355 [CVE] [CVE json] [OSV json]

Last updated: 2026-01-19T08:37:22.783Z

Affected

  • Apache Linkis from 1.0.0 through 1.7.0

Description

A vulnerability.

When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.


Affected Scope
Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.
Version: Apache Linkis 1.0.0 – 1.7.0


Trigger Conditions
The value of the configuration item is an invalid Base64 string.
Log files are readable by users other than hive-site.xml administrators.


Severity: Low
The probability of Base64 decoding failure is low.
The leakage is only triggered when logs at the Error level are exposed.

Remediation
Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content.
logger.error("URL decode failed: {}", e.getMessage()); // 不再输出 str


Users are recommended to upgrade to version 1.8.0, which fixes the issue.

References

Credits

  • Kyler (finder)
  • kinghao (analyst)
  • Le1a (remediation developer)
  • kinghao (remediation reviewer)

Arbitrary File Read via Double URL Encoding Bypass

CVE-2025-29847 [CVE] [CVE json] [OSV json]

Last updated: 2026-01-19T08:36:04.753Z

Affected

  • Apache Linkis from 1.3.0 through 1.7.0

Description

A vulnerability in Apache Linkis.

Problem Description
When using the JDBC engine and da
When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.

Scope of Impact

This issue affects Apache Linkis: from 1.3.0 through 1.7.0.

Severity level

moderate

Solution
Continuously check if the connection information contains the “%” character; if it does, perform URL decoding.

Users are recommended to upgrade to version 1.8.0, which fixes the issue.

More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve

References

Credits

  • Le1a and A1kaid from Threatbook (finder)
  • kinghao (analyst)
  • Le1a from Threatbook (remediation developer)
  • kinghao (remediation reviewer)

JDBC Datasource Module with Mysql has file read vulnerability

CVE-2024-45627 [CVE] [CVE json] [OSV json]

Last updated: 2025-01-14T16:13:18.399Z

Affected

  • Apache Linkis Metadata Query Service JDBC from 1.5.0 before 1.7.0

Description

In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will

allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.7.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.7.0.


References

Credits

  • Le1a (reporter)

Commons Lang’s RandomStringUtils Random string security vulnerability

CVE-2024-39928 [CVE] [CVE json] [OSV json]

Last updated: 2024-09-24T01:38:41.101Z

Affected

  • Apache Linkis Spark EngineConn from 1.3.0 before 1.6.0

Description

In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang’s RandomStringUtils.
Users are recommended to upgrade to version 1.6.0, which fixes this issue.

References

Credits

  • Hen (reporter)
  • Pj fanning (reporter)

Engine material management Arbitrary file deletion vulnerability

CVE-2024-27182 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-02T09:29:36.766Z

Affected

  • Apache Linkis Basic management services from 1.3.2 before 1.6.0

Description

In Apache Linkis <= 1.5.0,

Arbitrary file deletion in Basic management services on

A user with an administrator account could delete any file accessible by the Linkis system user

.
Users are recommended to upgrade to version 1.6.0, which fixes this issue.

References

Credits

  • superx (reporter)

Privilege Escalation Attack vulnerability

CVE-2024-27181 [CVE] [CVE json] [OSV json]

Last updated: 2024-08-02T09:27:34.414Z

Affected

  • Apache Linkis Basic management services from 1.3.2 before 1.6.0

Description

In Apache Linkis <= 1.5.0,

Privilege Escalation in Basic management services where the attacking user is

a trusted account

allows access to Linkis’s Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue.

References

Credits

  • superx (reporter)

DataSource module Oracle SQL Database Password Logged

CVE-2023-50740 [CVE] [CVE json] [OSV json]

Last updated: 2024-03-06T13:44:51.798Z

Affected

  • Apache Linkis DataSource from * before 1.5.0

Description

In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. 
We recommend users upgrade the version of Linkis to version 1.5.0

References

Credits

  • Jonathan Leitschuh (reporter)

JDBC Datasource Module with DB2 has JNDI Injection vulnerability

CVE-2023-49566 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-15T07:56:41.397Z

Affected

  • Apache Linkis DataSource from * before 1.6.0

Description

In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious

db2

parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted. 

This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.

Versions of Apache Linkis

<=1.5.0

will be affected.
We recommend users upgrade the version of Linkis to version 1.6.0.

References

Credits

  • Joyh (reporter)
  • L0ne1y (reporter)

DataSource Remote code execution vulnerability

CVE-2023-46801 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-15T07:55:28.176Z

Affected

  • Apache Linkis DataSource from 1.4.0 before 1.6.0

Description

In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them.

This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.  We recommend that users upgrade the java version to >= 1.8.0_241. Or users upgrade Linkis to version 1.6.0.

References

Credits

  • Pho3n1x (reporter)

DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading

CVE-2023-41916 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-15T07:53:56.163Z

Affected

  • Apache Linkis DataSource from 1.4.0 before 1.5.0

Description

In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected. 
We recommend users upgrade the version of Linkis to version 1.5.0.


References

Credits

  • Pho3n1x (reporter)
  • L0ne1y (reporter)

Apache Linkis DatasourceManager module has a deserialization command execution

CVE-2023-29216 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-13T14:57:28.538Z

Affected

  • Apache Linkis before 1.6.0

Description

In Apache Linkis <=1.5.0, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution.
Versions of Apache Linkis <=

1.5.0

will be affected.
We recommend users upgrade the version of Linkis to version 1.6.0.

References

Credits

  • sw0rd1ight (reporter)

Apache Linkis JDBC EngineCon has a deserialization command execution

CVE-2023-29215 [CVE] [CVE json] [OSV json]

Last updated: 2023-04-10T07:35:21.175Z

Affected

  • Apache Linkis through 1.3.1

Description

In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.3.2.


References

Credits

  • sw0rd1ight (reporter)

Apache Linkis gateway module token authentication bypass

CVE-2023-27987 [CVE] [CVE json]

Last updated: 2023-04-14T07:51:52.905Z

Affected

  • Apache Linkis through 1.3.1

Description

In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values.

We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization[1]
https://linkis.apache.org/docs/latest/auth/token


References

Credits

  • Laihan (reporter)

Apache Linkis Mangaer module engineConn material upload exists Zip Slip issue

CVE-2023-27603 [CVE] [CVE json]

Last updated: 2023-04-14T07:17:48.297Z

Affected

  • Apache Linkis through 1.3.1

Description

In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a potential RCE vulnerability.

We recommend users upgrade the version of Linkis to version 1.3.2.

References

Credits

  • 4ra1n (reporter)

Apache Linkis publicsercice module unrestricted upload of file

CVE-2023-27602 [CVE] [CVE json] [OSV json]

Last updated: 2023-04-11T03:15:38.418Z

Affected

  • Apache Linkis through 1.3.1

Description

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.

We recommend users upgrade the version of Linkis to version 1.3.2. 

References

Credits

  • Laihan (reporter)

The DatasourceManager module has a serialization attack vulnerability

CVE-2022-44645 [CVE] [CVE json] [OSV json]

Last updated: 2023-02-03T07:43:51.516Z

Affected

  • Apache Linkis (incubating) through 1.3.0

Description

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, a deserialization vulnerability with possible remote code execution impact exists when an attacker has to write access to a database and configures new data source with a MySQL data source and malicious parameters. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.

We recommend users upgrade the version of Linkis to version 1.3.1.

References

Credits

  • Tian Xin WU (Bearcat) , Vulnerability Researcher at Numen Cyber ​​​​Labs, Singapore. (reporter)
  • Department of Cyber Security Research (Jumbo, Unc1e) (remediation developer)
  • s3gundo of Hundsun Tech (remediation developer)

The DatasourceManager module has a Local File Read Vulnerability

CVE-2022-44644 [CVE] [CVE json] [OSV json]

Last updated: 2023-03-15T08:36:49.053Z

Affected

  • Apache Linkis (incubating) before 1.3.1

Description

In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected. 

We recommend users upgrade the version of Linkis to version 1.3.1

References

Credits

  • Department of Cyber Security Research (Jumbo, Unc1e), Beijing Zhiqian Technology Co., LTD (reporter)
  • s3gundo of Hundsun Tech (reporter)

The Apache Linkis JDBC EngineConn module has a RCE Vulnerability

CVE-2022-39944 [CVE] [CVE json] [OSV json]

Last updated: 2022-10-26T12:44:23.967Z

Affected

  • Apache Linkis from Apache Linkis through 1.2.0

Description

In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0.

References

Credits

  • This issue was discovered by 4ra1n and zac from ZAC Security Team