Severity
High
Analysis Summary
CVE-2024-36522 CVSS:9.8
Apache Wicket could allow a remote attacker to execute arbitrary code on the system, caused by a XSLT injection flaw in the default configuration of XSLTResourceStream.java. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-49566 CVSS:7.5
Apache Linkis could allow a remote authenticated attacker to obtain sensitive information, caused by a JNDI injection flaw in the DataSource Manager Module. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-46801 CVSS:8.8
Apache Linkis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the DataSource Manager Module when adding Mysql data source. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-41916 CVSS:7.5
Apache Linkis could allow a remote authenticated attacker to obtain sensitive information, caused by a JDBC parameter judgment logic flaw in the DataSource Manager Module. By sending a specially crafted request, an attacker could exploit this vulnerability to read arbitrary files, and use this information to launch further attacks against the affected system.
Impact
- Code Execution
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-36522
- CVE-2023-49566
- CVE-2023-46801
- CVE-2023-41916
Affected Vendors
Affected Products
- Apache Wicket 8.15.0
- Apache Wicket 9.17.0
- Apache Wicket 10.0.0
- Apache Linkis 1.5.0
Remediation
Upgrade to the latest version of Apache, available from the Apache Website.