Apache Linkis
18 CVEs affecting Apache Linkis. Latest disclosed: 2026-01-19. Critical: 5, High: 7.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-29216 | Critical | 9.8 | 2023-04-10 | In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a… |
CVE-2023-29215 | Critical | 9.8 | 2023-04-10 | In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Mod… |
CVE-2023-27603 | Critical | 9.8 | 2023-04-10 | In Apache Linkis <=1.3.1, due to the Manager module engineConn material upload does not check the zip path, This is a Zip Slip issue, which will lead to a p… |
CVE-2023-27602 | Critical | 9.8 | 2023-04-10 | In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types. We recommend users u… |
CVE-2023-27987 | Critical | 9.1 | 2023-04-10 | In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to obtain the default tok… |
CVE-2024-27181 | High | 8.8 | 2024-08-02 | In Apache Linkis <= 1.5.0, Privilege Escalation in Basic management services where the attacking user is a trusted account allows access to Linkis's Token… |
CVE-2023-49566 | High | 8.8 | 2024-07-15 | In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager… |
CVE-2023-46801 | High | 8.8 | 2024-07-15 | In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_2… |
CVE-2022-44645 | High | 8.8 | 2023-01-31 | In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attack… |
CVE-2022-39944 | High | 8.8 | 2022-10-26 | In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attack… |
CVE-2025-29847 | High | 7.5 | 2026-01-19 | A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL p… |
CVE-2024-39928 | High | 7.5 | 2024-09-25 | In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons… |
CVE-2025-59355 | Medium | 6.5 | 2026-01-19 | A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in t… |
CVE-2023-41916 | Medium | 6.5 | 2024-07-15 | In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manag… |
CVE-2022-44644 | Medium | 6.5 | 2023-01-31 | In Apache Linkis <=1.3.0 when used with the MySQL Connector/J in the data source module, an authenticated attacker could read arbitrary local files by connecti… |
CVE-2024-45627 | Medium | 5.9 | 2025-01-14 | In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manage… |
CVE-2023-50740 | Medium | 5.3 | 2024-03-06 | In Apache Linkis <=1.4.0, The password is printed to the log when using the Oracle data source of the Linkis data source module. We recommend users upgrade th… |
CVE-2024-27182 | Medium | 4.9 | 2024-08-02 | In Apache Linkis <= 1.5.0, Arbitrary file deletion in Basic management services on A user with an administrator account could delete any file accessible by… |