Vulnerability-Lookup

CNVD-2026-09791

Vulnerability from cnvd - Published: 2026-01-30

Title

Apache Linkis授权问题漏洞

Description

Apache Linkis是美国阿帕奇（Apache）基金会的一款中间件产品，可以在上层应用和底层数据引擎之间建立起有效的连接。 Apache Linkis存在授权问题漏洞，该漏洞源于前端配置的URL参数经过多轮URL编码可能绕过系统检查，攻击者可利用该漏洞导致通过JDBC参数未经授权访问系统文件。

Severity

高

Patch Name

Apache Linkis授权问题漏洞的补丁

Patch Description

Apache Linkis是美国阿帕奇（Apache）基金会的一款中间件产品，可以在上层应用和底层数据引擎之间建立起有效的连接。 Apache Linkis存在授权问题漏洞，该漏洞源于前端配置的URL参数经过多轮URL编码可能绕过系统检查，攻击者可利用该漏洞导致通过JDBC参数未经授权访问系统文件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://linkis.apache.org/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-29847

Impacted products

Name
Apache linkis >=1.3.0，<1.8.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-29847",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-29847"
    }
  },
  "description": "Apache Linkis\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u4e2d\u95f4\u4ef6\u4ea7\u54c1\uff0c\u53ef\u4ee5\u5728\u4e0a\u5c42\u5e94\u7528\u548c\u5e95\u5c42\u6570\u636e\u5f15\u64ce\u4e4b\u95f4\u5efa\u7acb\u8d77\u6709\u6548\u7684\u8fde\u63a5\u3002\n\nApache Linkis\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u524d\u7aef\u914d\u7f6e\u7684URL\u53c2\u6570\u7ecf\u8fc7\u591a\u8f6eURL\u7f16\u7801\u53ef\u80fd\u7ed5\u8fc7\u7cfb\u7edf\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u901a\u8fc7JDBC\u53c2\u6570\u672a\u7ecf\u6388\u6743\u8bbf\u95ee\u7cfb\u7edf\u6587\u4ef6\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://linkis.apache.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-09791",
  "openTime": "2026-01-30",
  "patchDescription": "Apache Linkis\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u4e2d\u95f4\u4ef6\u4ea7\u54c1\uff0c\u53ef\u4ee5\u5728\u4e0a\u5c42\u5e94\u7528\u548c\u5e95\u5c42\u6570\u636e\u5f15\u64ce\u4e4b\u95f4\u5efa\u7acb\u8d77\u6709\u6548\u7684\u8fde\u63a5\u3002\r\n\r\nApache Linkis\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u524d\u7aef\u914d\u7f6e\u7684URL\u53c2\u6570\u7ecf\u8fc7\u591a\u8f6eURL\u7f16\u7801\u53ef\u80fd\u7ed5\u8fc7\u7cfb\u7edf\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u901a\u8fc7JDBC\u53c2\u6570\u672a\u7ecf\u6388\u6743\u8bbf\u95ee\u7cfb\u7edf\u6587\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Linkis\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache linkis \u003e=1.3.0\uff0c\u003c1.8.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-29847",
  "serverity": "\u9ad8",
  "submitTime": "2026-01-30",
  "title": "Apache Linkis\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2025-29847 (GCVE-0-2025-29847)

Vulnerability from cvelistv5 – Published: 2026-01-19 08:36 – Updated: 2026-01-20 15:12

Title

Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass

Summary

A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve

Severity ?

No CVSS data available.

CWE

CWE-20 - Improper Input Validation
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/03l5rfkgdt022o75j…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Linkis	Affected: 1.3.0 , ≤ 1.7.0 (semver)

Credits

Le1a and A1kaid from Threatbook kinghao Le1a from Threatbook kinghao

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-19T09:11:59.096Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/09/19/2"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-29847",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-20T15:10:49.304422Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-20T15:12:04.287Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Linkis",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.7.0",
              "status": "affected",
              "version": "1.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Le1a and A1kaid from Threatbook"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "kinghao"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Le1a from Threatbook"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "kinghao"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA vulnerability in Apache Linkis.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eProblem Description\u003c/b\u003e\u003cbr\u003eWhen using the JDBC engine and da\u003cbr\u003eWhen using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system\u0027s checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.\u003c/p\u003e\u003cb\u003eScope of Impact\u003c/b\u003e\u003cbr\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis issue affects Apache Linkis: from 1.3.0 through 1.7.0.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eSeverity level\u003c/b\u003e\u003cbr\u003e\u003c/span\u003e\n\nmoderate\u003cbr\u003e\u003cp\u003e\u003cb\u003eSolution\u003c/b\u003e\u003cbr\u003eContinuously check if the connection information contains the \"%\" character; if it does, perform URL decoding.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\u003cbr\u003e\u003c/p\u003e\u003cp\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMore questions about this vulnerability can be discussed here:\u003c/span\u003e\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve\"\u003ehttps://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve\u003c/a\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "A vulnerability in Apache Linkis.\n\nProblem Description\nWhen using the JDBC engine and da\nWhen using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system\u0027s checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.\n\nScope of Impact\n\n\nThis issue affects Apache Linkis: from 1.3.0 through 1.7.0.\n\nSeverity level\n\n\nmoderate\nSolution\nContinuously check if the connection information contains the \"%\" character; if it does, perform URL decoding.\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\n\n\n\n\nMore questions about this vulnerability can be discussed here:\u00a0 https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T08:36:06.839Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Linkis: Arbitrary File Read via Double URL Encoding Bypass",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-29847",
    "datePublished": "2026-01-19T08:36:06.839Z",
    "dateReserved": "2025-03-12T03:28:05.936Z",
    "dateUpdated": "2026-01-20T15:12:04.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-09791

CVE-2025-29847 (GCVE-0-2025-29847)

Tags

Sightings

Nomenclature