Analysis Summary

CVE-2024-36522 CVSS:9.8

Apache Wicket could allow a remote attacker to execute arbitrary code on the system, caused by a XSLT injection flaw in the default configuration of XSLTResourceStream.java. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-49566 CVSS:7.5

Apache Linkis could allow a remote authenticated attacker to obtain sensitive information, caused by a JNDI injection flaw in the DataSource Manager Module. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2023-46801 CVSS:8.8

Apache Linkis could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the DataSource Manager Module when adding Mysql data source. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-41916 CVSS:7.5

Apache Linkis could allow a remote authenticated attacker to obtain sensitive information, caused by a JDBC parameter judgment logic flaw in the DataSource Manager Module. By sending a specially crafted request, an attacker could exploit this vulnerability to read arbitrary files, and use this information to launch further attacks against the affected system.

Impact

• Code Execution
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2024-36522
• CVE-2023-49566
• CVE-2023-46801
• CVE-2023-41916

Affected Vendors

Remediation

Upgrade to the latest version of Apache, available from the Apache Website.

Apache Wicket

Apache Linkis