Vulnerability Description
In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1.3.2. For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties `wds.linkis.workspace.filesystem.owner.check=true` `wds.linkis.workspace.filesystem.path.check=true`
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Linkis | <= 1.3.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/04/10/1Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2023/04/18/4
- http://www.openwall.com/lists/oss-security/2023/04/19/3
- https://lists.apache.org/thread/wt70jfc0yfs6s5g0wg5dr5klnc48nsp1Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2023/04/10/1Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2023/04/18/4
- http://www.openwall.com/lists/oss-security/2023/04/19/3
- https://lists.apache.org/thread/wt70jfc0yfs6s5g0wg5dr5klnc48nsp1Mailing ListVendor Advisory
FAQ
What is CVE-2023-27602?
CVE-2023-27602 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users upgrade the version of Linkis to version 1...
How severe is CVE-2023-27602?
CVE-2023-27602 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-27602?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Linkis.