We use cookies to improve your experience on our site.
AVID-2026-R1233
Description
Apache Linkis DatasourceManager module has a deserialization command execution (CVE-2023-29216)
Details
In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution. Versions of Apache Linkis <= 1.3.0 will be affected. We recommend users upgrade the version of Linkis to version 1.3.2.
Reason for inclusion in AVID: CVE-2023-29216 describes a remote code execution via deserialization in Apache Linkis DatasourceManager. This is a software vulnerability in a component that can be used in data processing pipelines relevant to AI workflows, representing a supply-chain risk for general-purpose AI systems. The report provides clear vulnerability details (CWE-502), affected versions, and references, enabling assessment and remediation.
References
- NVD entry
- https://lists.apache.org/thread/18vv0m32oy51nzk8tbz13qdl5569y55l
- http://www.openwall.com/lists/oss-security/2023/04/10/5
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Linkis |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-502 | CWE-502 Deserialization of Untrusted Data |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-04-10
- Version: 0.3.3
- AVID Entry