Apache Linkis 1.3.x/1.4.x/1.5.x Spark EngineConn random values

Summaryinfo

A vulnerability classified as problematic was found in Apache Linkis 1.3.x/1.4.x/1.5.x. This issue affects some unknown processing of the component Spark EngineConn. Such manipulation leads to random values. This vulnerability is listed as CVE-2024-39928. There is no available exploit. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Apache Linkis 1.3.x/1.4.x/1.5.x and classified as problematic. Affected by this issue is an unknown function of the component Spark EngineConn. The manipulation with an unknown input leads to a random values vulnerability. Using CWE to declare the problem leads to CWE-330. The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. Impacted is confidentiality. CVE summarizes:

In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue.

The advisory is shared for download at lists.apache.org. This vulnerability is handled as CVE-2024-39928 since 07/04/2024. The exploitation is known to be difficult. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1600.001.

Upgrading to version 1.6.0 eliminates this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Apache

Name

• Linkis

Version

• 1.3.x
• 1.4.x
• 1.5.x

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion