CVE-2023-27602: Apache Linkis Unrestricted File Upload vulnerability

July 6, 2023 (updated October 22, 2024)

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.

We recommend users upgrade the version of Linkis to version 1.3.2.

For versions <=1.3.1, we suggest turning on the file path check switch in linkis.properties

wds.linkis.workspace.filesystem.owner.check=true wds.linkis.workspace.filesystem.path.check=true

References

github.com/advisories/GHSA-x84r-jrqm-3hj8
github.com/apache/linkis
lists.apache.org/thread/wt70jfc0yfs6s5g0wg5dr5klnc48nsp1
nvd.nist.gov/vuln/detail/CVE-2023-27602

Detect and mitigate CVE-2023-27602 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →