Apache Linkis security advisories
Security information for Apache Linkis
Reporting
Do you want disclose a potential security issue for Apache Linkis? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Password Exposure
CVE-2025-59355 [CVE] [CVE json] [OSV json]
Last updated: 2026-01-19T08:37:22.783Z
Affected
- Apache Linkis from 1.0.0 through 1.7.0
Description
A vulnerability.
When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.
Affected Scope
Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.
Version: Apache Linkis 1.0.0 – 1.7.0
Trigger Conditions
The value of the configuration item is an invalid Base64 string.
Log files are readable by users other than hive-site.xml administrators.
Severity: Low
The probability of Base64 decoding failure is low.
The leakage is only triggered when logs at the Error level are exposed.
Remediation
Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content.
logger.error("URL decode failed: {}", e.getMessage()); // 不再输出 str
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
References
- https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj
- https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h
Credits
- Kyler (finder)
- kinghao (analyst)
- Le1a (remediation developer)
- kinghao (remediation reviewer)
Arbitrary File Read via Double URL Encoding Bypass
CVE-2025-29847 [CVE] [CVE json] [OSV json]
Last updated: 2026-01-19T08:36:04.753Z
Affected
- Apache Linkis from 1.3.0 through 1.7.0
Description
A vulnerability in Apache Linkis.
Problem Description
When using the JDBC engine and da
When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.
This issue affects Apache Linkis: from 1.3.0 through 1.7.0.
Severity level
moderate
Solution
Continuously check if the connection information contains the “%” character; if it does, perform URL decoding.
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve
References
Credits
- Le1a and A1kaid from Threatbook (finder)
- kinghao (analyst)
- Le1a from Threatbook (remediation developer)
- kinghao (remediation reviewer)
JDBC Datasource Module with Mysql has file read vulnerability
CVE-2024-45627 [CVE] [CVE json] [OSV json]
Last updated: 2025-01-14T16:13:18.399Z
Affected
- Apache Linkis Metadata Query Service JDBC from 1.5.0 before 1.7.0
Description
In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will
allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.7.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.7.0.
References
Credits
- Le1a (reporter)
Commons Lang’s RandomStringUtils Random string security vulnerability
CVE-2024-39928 [CVE] [CVE json] [OSV json]
Last updated: 2024-09-24T01:38:41.101Z
Affected
- Apache Linkis Spark EngineConn from 1.3.0 before 1.6.0
Description
In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang’s RandomStringUtils.
Users are recommended to upgrade to version 1.6.0, which fixes this issue.
References
Credits
- Hen (reporter)
- Pj fanning (reporter)
Engine material management Arbitrary file deletion vulnerability
CVE-2024-27182 [CVE] [CVE json] [OSV json]
Last updated: 2024-08-02T09:29:36.766Z
Affected
- Apache Linkis Basic management services from 1.3.2 before 1.6.0
Description
In Apache Linkis <= 1.5.0,
Arbitrary file deletion in Basic management services on
A user with an administrator account could delete any file accessible by the Linkis system user
.
Users are recommended to upgrade to version 1.6.0, which fixes this issue.
References
Credits
- superx (reporter)
Privilege Escalation Attack vulnerability
CVE-2024-27181 [CVE] [CVE json] [OSV json]
Last updated: 2024-08-02T09:27:34.414Z
Affected
- Apache Linkis Basic management services from 1.3.2 before 1.6.0
Description
In Apache Linkis <= 1.5.0,
Privilege Escalation in Basic management services where the attacking user is
a trusted account
allows access to Linkis’s Token information. Users are advised to upgrade to version 1.6.0, which fixes this issue.
References
Credits
- superx (reporter)
DataSource module Oracle SQL Database Password Logged
CVE-2023-50740 [CVE] [CVE json] [OSV json]
Last updated: 2024-03-06T13:44:51.798Z
Affected
- Apache Linkis DataSource from * before 1.5.0
Description
In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module.
We recommend users upgrade the version of Linkis to version 1.5.0
References
Credits
- Jonathan Leitschuh (reporter)
JDBC Datasource Module with DB2 has JNDI Injection vulnerability
CVE-2023-49566 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-15T07:56:41.397Z
Affected
- Apache Linkis DataSource from * before 1.6.0
Description
In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious
db2
parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted.
This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.
Versions of Apache Linkis
<=1.5.0
will be affected.
We recommend users upgrade the version of Linkis to version 1.6.0.
References
Credits
- Joyh (reporter)
- L0ne1y (reporter)
DataSource Remote code execution vulnerability
CVE-2023-46801 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-15T07:55:28.176Z
Affected
- Apache Linkis DataSource from 1.4.0 before 1.6.0
Description
In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them.
This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. We recommend that users upgrade the java version to >= 1.8.0_241. Or users upgrade Linkis to version 1.6.0.
References
Credits
- Pho3n1x (reporter)
DatasourceManager module has a JDBC parameter judgment logic vulnerability that allows for arbitrary file reading
CVE-2023-41916 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-15T07:53:56.163Z
Affected
- Apache Linkis DataSource from 1.4.0 before 1.5.0
Description
In Apache Linkis =1.4.0, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis = 1.4.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.5.0.
References
Credits
- Pho3n1x (reporter)
- L0ne1y (reporter)
Apache Linkis DatasourceManager module has a deserialization command execution
CVE-2023-29216 [CVE] [CVE json] [OSV json]
Last updated: 2024-07-13T14:57:28.538Z
Affected
- Apache Linkis before 1.6.0
Description
In Apache Linkis <=1.5.0, because the parameters are not
effectively filtered, the attacker uses the MySQL data source and malicious parameters to
configure a new data source to trigger a deserialization vulnerability, eventually leading to
remote code execution.
Versions of Apache Linkis <=
1.5.0
will be affected.
We recommend users upgrade the version of Linkis to version 1.6.0.
References
Credits
- sw0rd1ight (reporter)
Apache Linkis JDBC EngineCon has a deserialization command execution
CVE-2023-29215 [CVE] [CVE json] [OSV json]
Last updated: 2023-04-10T07:35:21.175Z
Affected
- Apache Linkis through 1.3.1
Description
In Apache Linkis <=1.3.1, due to the lack of effective filtering
of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a
deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.3.2.
References
Credits
- sw0rd1ight (reporter)
Apache Linkis gateway module token authentication bypass
CVE-2023-27987 [CVE] [CVE json]
Last updated: 2023-04-14T07:51:52.905Z
Affected
- Apache Linkis through 1.3.1
Description
In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default token for the attack. Generation rules should add random values.
We recommend users upgrade the version of Linkis to version 1.3.2 And modify the default token value. You can refer to Token authorization[1]
https://linkis.apache.org/docs/latest/auth/token
References
- https://lists.apache.org/thread/3cr1cz3210wzwngldwrqzm43vwhghp0p
- https://www.openwall.com/lists/oss-security/2023/04/10/3
Credits
- Laihan (reporter)
Apache Linkis Mangaer module engineConn material upload exists Zip Slip issue
CVE-2023-27603 [CVE] [CVE json]
Last updated: 2023-04-14T07:17:48.297Z
Affected
- Apache Linkis through 1.3.1
Description
In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a
potential RCE vulnerability.We recommend users upgrade the version of Linkis to version 1.3.2.
References
- https://lists.apache.org/thread/6n1vlvnyn441rm02zdqc0wnpckj8ltn8
- https://www.openwall.com/lists/oss-security/2023/04/10/2
Credits
- 4ra1n (reporter)
Apache Linkis publicsercice module unrestricted upload of file
CVE-2023-27602 [CVE] [CVE json] [OSV json]
Last updated: 2023-04-11T03:15:38.418Z
Affected
- Apache Linkis through 1.3.1
Description
In Apache Linkis <=1.3.1, The PublicService module uploads
files without restrictions on the path to the uploaded files, and file types.We recommend users upgrade the version of Linkis to version 1.3.2.
References
Credits
- Laihan (reporter)
The DatasourceManager module has a serialization attack vulnerability
CVE-2022-44645 [CVE] [CVE json] [OSV json]
Last updated: 2023-02-03T07:43:51.516Z
Affected
- Apache Linkis (incubating) through 1.3.0
Description
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, a deserialization vulnerability with possible remote code execution impact exists when an attacker has to write access to a database and configures new data source with a MySQL data source and malicious parameters. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.3.1.
References
Credits
- Tian Xin WU (Bearcat) , Vulnerability Researcher at Numen Cyber Labs, Singapore. (reporter)
- Department of Cyber Security Research (Jumbo, Unc1e) (remediation developer)
- s3gundo of Hundsun Tech (remediation developer)
The DatasourceManager module has a Local File Read Vulnerability
CVE-2022-44644 [CVE] [CVE json] [OSV json]
Last updated: 2023-03-15T08:36:49.053Z
Affected
- Apache Linkis (incubating) before 1.3.1
Description
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecting a rogue MySQL server, By adding allowLoadLocalInfile to true in the JDBC parameter. Therefore, the parameters in the JDBC URL should be blacklisted. Versions of Apache Linkis <= 1.3.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.3.1
References
Credits
- Department of Cyber Security Research (Jumbo, Unc1e), Beijing Zhiqian Technology Co., LTD (reporter)
- s3gundo of Hundsun Tech (reporter)
The Apache Linkis JDBC EngineConn module has a RCE Vulnerability
CVE-2022-39944 [CVE] [CVE json] [OSV json]
Last updated: 2022-10-26T12:44:23.967Z
Affected
- Apache Linkis from Apache Linkis through 1.2.0
Description
In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. Versions of Apache Linkis <= 1.2.0 will be affected, We recommend users to update to 1.3.0.
References
Credits
- This issue was discovered by 4ra1n and zac from ZAC Security Team