CVE-2023-49566: Apache Linkis DataSource's JDBC Datasource Module with DB2 has JNDI Injection vulnerability

July 15, 2024 (updated March 27, 2025)

In Apache Linkis <=1.5.0, due to the lack of effective filteringof parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be denylisted.

This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out.

Versions of Apache Linkis <=1.5.0 will be affected. We recommend users upgrade the version of Linkis to version 1.6.0.

References

github.com/advisories/GHSA-7qpc-4xx9-x5qw
github.com/apache/linkis
linkis.apache.org/download/release-notes-1.6.0
lists.apache.org/thread/t68yy52lmv7pxgrxnq6rw7rwvk9tb1xj
nvd.nist.gov/vuln/detail/CVE-2023-49566

Code Behaviors & Features

Detect and mitigate CVE-2023-49566 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →