oss-sec mailing list archives

CVE-2023-27602: Apache Linkis publicsercice module unrestricted upload of file

From: Heping Wang <peacewong () apache org>
Date: Mon, 10 Apr 2023 06:14:37 +0000

Severity: important

Description:

In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded 
files, and file types.


We recommend users upgrade the version of Linkis to version 1.3.2. 

For versions 

<=1.3.1, we suggest turning on the file path check switch in linkis.properties

`wds.linkis.workspace.filesystem.owner.check=true`
`wds.linkis.workspace.filesystem.path.check=true`

Credit:

Laihan (reporter)

References:

https://linkis.apache.org
https://www.cve.org/CVERecord?id=CVE-2023-27602

Current thread:

CVE-2023-27602: Apache Linkis publicsercice module unrestricted upload of file Heping Wang (Apr 10)
- Re: CVE-2023-27602: Apache Linkis publicsercice module unrestricted upload of file Seth Arnold (Apr 17)
  - Re: CVE-2023-27602: Apache Linkis publicsercice module unrestricted upload of file peacewong (Apr 19)