GHSA-6gch-63wp-4v5f

Suggest an improvement
Source
https://github.com/advisories/GHSA-6gch-63wp-4v5f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-6gch-63wp-4v5f/GHSA-6gch-63wp-4v5f.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6gch-63wp-4v5f
Aliases
  • CVE-2024-39928
Published
2024-09-25T03:30:35Z
Modified
2024-09-25T15:27:30.759305Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability
Details

In Apache Linkis <= 1.5.0, a Random string security vulnerability in Spark EngineConn, random string generated by the Token when starting Py4j uses the Commons Lang's RandomStringUtils. Users are recommended to upgrade to version 1.6.0, which fixes this issue.

Database specific
{
    "nvd_published_at": "2024-09-25T01:15:40Z",
    "cwe_ids": [
        "CWE-326"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-25T14:29:58Z"
}
References

Affected packages

Maven / org.apache.linkis:linkis-engineplugin-spark

Package

Name
org.apache.linkis:linkis-engineplugin-spark
View open source insights on deps.dev
Purl
pkg:maven/org.apache.linkis/linkis-engineplugin-spark

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.0

Affected versions

1.*

1.0.3
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.3.0
1.3.1
1.3.2
1.4.0
1.5.0