CVE-2024-45627: 
Java vulnerability analysis and mitigation

CVE-2024-45627 is a security vulnerability discovered in Apache Linkis versions prior to 1.7.0. The vulnerability was disclosed on January 14, 2025, affecting the DataSource Manager Module of Apache Linkis's Metadata Query Service JDBC. The issue stems from insufficient parameter filtering in the MySQL JDBC configuration (NVD, OSS Security).

The vulnerability exists due to the lack of effective filtering of parameters in the MySQL JDBC configuration within the DataSource Manager Module. The issue is tracked as CWE-552 (Files or Directories Accessible to External Parties). The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD).

When successfully exploited, this vulnerability allows an authenticated attacker to read arbitrary files from the Linkis server through malicious MySQL JDBC parameters in the DataSource Manager Module. The attack requires the attacker to have an authorized account in Linkis (OSS Security).

Users are strongly recommended to upgrade to Apache Linkis version 1.7.0 or later, which contains the fix for this vulnerability. The fix involves implementing proper blacklisting of parameters in the MySQL JDBC URL (OSS Security).