CVE-2023-27602

Summary

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.

We recommend users upgrade the version of Linkis to version 1.3.2. 

For versions

<=1.3.1, we suggest turning on the file path check switch in linkis.properties

wds.linkis.workspace.filesystem.owner.check=true wds.linkis.workspace.filesystem.path.check=true

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Linkis0 <= 1.3.1affected

Weaknesses

  • CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References