{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-27602","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2023-03-04T10:46:35.079Z","datePublished":"2023-04-10T07:36:28.437Z","dateUpdated":"2025-02-13T16:45:29.640Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache Linkis","vendor":"Apache Software Foundation","versions":[{"lessThanOrEqual":"1.3.1","status":"affected","version":"0","versionType":"maven"}]}],"credits":[{"lang":"en","type":"reporter","value":"Laihan"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\n\nIn Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.
\n\nWe recommend users upgrade the version of Linkis to version 1.3.2. \n
For versions \n\n<=1.3.1, we suggest turning on the file path check switch in linkis.properties
\n`wds.linkis.workspace.filesystem.owner.check=true`
`wds.linkis.workspace.filesystem.path.check=true`"}],"value":"In Apache Linkis <=1.3.1, The PublicService module uploads files without restrictions on the path to the uploaded files, and file types.\n\n\nWe recommend users upgrade the version of Linkis to version 1.3.2. \n\nFor versions \n\n<=1.3.1, we suggest turning on the file path check switch in linkis.properties\n\n`wds.linkis.workspace.filesystem.owner.check=true`\n`wds.linkis.workspace.filesystem.path.check=true`"}],"metrics":[{"other":{"content":{"text":"important"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-434","description":"CWE-434 Unrestricted Upload of File with Dangerous Type","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2023-04-19T11:06:11.804Z"},"references":[{"tags":["mailing-list","vendor-advisory"],"url":"https://lists.apache.org/thread/wt70jfc0yfs6s5g0wg5dr5klnc48nsp1"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/10/1"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/18/4"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/3"}],"source":{"discovery":"EXTERNAL"},"title":"Apache Linkis publicsercice module unrestricted upload of file","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T12:16:35.883Z"},"title":"CVE Program Container","references":[{"tags":["mailing-list","vendor-advisory","x_transferred"],"url":"https://lists.apache.org/thread/wt70jfc0yfs6s5g0wg5dr5klnc48nsp1"},{"url":"http://www.openwall.com/lists/oss-security/2023/04/10/1","tags":["x_transferred"]},{"url":"http://www.openwall.com/lists/oss-security/2023/04/18/4","tags":["x_transferred"]},{"url":"http://www.openwall.com/lists/oss-security/2023/04/19/3","tags":["x_transferred"]}]},{"affected":[{"vendor":"apache","product":"linkis","cpes":["cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","versions":[{"version":"0","status":"affected","lessThanOrEqual":"1.3.1","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-10-22T15:25:12.309658Z","id":"CVE-2023-27602","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-22T15:26:24.290Z"}}]}}