CVE-2022-39944
Apache Linkis subject to Remote Code Execution via deserialization
8.8
HIGH
CVSS 3.1
EPSS 1.4%
Description
In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore, the parameters in the jdbc url should be blacklisted. This issue is patched in version 1.3.0, and users are recommended to upgrade.
How to fix CVE-2022-39944
To remediate CVE-2022-39944, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.0 or later
Is CVE-2022-39944 being exploited?
Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |