Vulnerability-Lookup

CVE-2025-59355 (GCVE-0-2025-59355)

Vulnerability from cvelistv5 – Published: 2026-01-19 08:37 – Updated: 2026-01-20 15:07

Title

Apache Linkis: Password Exposure

Summary

A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage. Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 – 1.7.0 Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators. Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed. Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error("URL decode failed: {}", e.getMessage()); // 不再输出 str Users are recommended to upgrade to version 1.8.0, which fixes the issue.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-532 - Insertion of Sensitive Information into Log File

Assigner

apache

References

3 references

URL	Tags
https://lists.apache.org/thread/75z7vhftw6w1mllnd…	patch
https://lists.apache.org/thread/4dcgmqdkk2p5y4k43…	vendor-advisory
http://www.openwall.com/lists/oss-security/2025/09/19/1

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Linkis	Affected: 1.0.0 , ≤ 1.7.0 (semver)

Credits

Kyler kinghao Le1a kinghao

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-19T09:12:28.261Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/09/19/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-59355",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-20T15:06:21.815440Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-20T15:07:22.356Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Linkis",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.7.0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Kyler"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "kinghao"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Le1a"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "kinghao"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA vulnerability.\u003cbr\u003e\u003cbr\u003eWhen org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + \"decode failed\", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003cb\u003eAffected Scope\u003c/b\u003e\u003cbr\u003eComponent: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.\u003cbr\u003eVersion: Apache Linkis 1.0.0 \u2013 1.7.0\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003cb\u003eTrigger Conditions\u003c/b\u003e\u003cbr\u003eThe value of the configuration item is an invalid Base64 string.\u003cbr\u003eLog files are readable by users other than hive-site.xml administrators.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003cb\u003eSeverity: Low\u003c/b\u003e\u003cbr\u003eThe probability of Base64 decoding failure is low.\u003cbr\u003eThe leakage is only triggered when logs at the Error level are exposed.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eRemediation\u003c/b\u003e\u003cbr\u003eApache Linkis 1.8.0 and later versions have replaced the log with desensitized content.\u003cbr\u003elogger.error(\"URL decode failed: {}\", e.getMessage());   // \u4e0d\u518d\u8f93\u51fa str\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "A vulnerability.\n\nWhen org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + \"decode failed\", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.\n\n\nAffected Scope\nComponent: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.\nVersion: Apache Linkis 1.0.0 \u2013 1.7.0\n\n\nTrigger Conditions\nThe value of the configuration item is an invalid Base64 string.\nLog files are readable by users other than hive-site.xml administrators.\n\n\nSeverity: Low\nThe probability of Base64 decoding failure is low.\nThe leakage is only triggered when logs at the Error level are exposed.\n\nRemediation\nApache Linkis 1.8.0 and later versions have replaced the log with desensitized content.\nlogger.error(\"URL decode failed: {}\", e.getMessage());   // \u4e0d\u518d\u8f93\u51fa str\n\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T08:37:24.364Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Linkis: Password Exposure",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-59355",
    "datePublished": "2026-01-19T08:37:24.364Z",
    "dateReserved": "2025-09-12T13:49:22.918Z",
    "dateUpdated": "2026-01-20T15:07:22.356Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-59355",
      "date": "2026-06-27",
      "epss": "0.00403",
      "percentile": "0.32219"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-59355\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-01-19T09:16:02.107\",\"lastModified\":\"2026-06-17T09:45:58.130\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability.\\n\\nWhen org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + \\\"decode failed\\\", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.\\n\\n\\nAffected Scope\\nComponent: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.\\nVersion: Apache Linkis 1.0.0 \u2013 1.7.0\\n\\n\\nTrigger Conditions\\nThe value of the configuration item is an invalid Base64 string.\\nLog files are readable by users other than hive-site.xml administrators.\\n\\n\\nSeverity: Low\\nThe probability of Base64 decoding failure is low.\\nThe leakage is only triggered when logs at the Error level are exposed.\\n\\nRemediation\\nApache Linkis 1.8.0 and later versions have replaced the log with desensitized content.\\nlogger.error(\\\"URL decode failed: {}\\\", e.getMessage());   // \u4e0d\u518d\u8f93\u51fa str\\n\\n\\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad.\\n\\nCuando org.apache.linkis.metadata.util.HiveUtils.decode() falla al realizar la decodificaci\u00f3n Base64, registra la cadena completa del par\u00e1metro de entrada en el log a trav\u00e9s de logger.error(str + \u0027decode failed\u0027, e). Si el par\u00e1metro de entrada contiene informaci\u00f3n sensible como claves de Hive Metastore, las contrase\u00f1as en texto plano quedar\u00e1n en los archivos de log cuando la decodificaci\u00f3n falle, lo que resulta en una fuga de informaci\u00f3n.\\n\\nAlcance Afectado\\nComponente: Campos sensibles en hive-site.xml (por ejemplo, javax.jdo.option.ConnectionPassword) u otros campos codificados en Base64.\\nVersi\u00f3n: Apache Linkis 1.0.0 \u2013 1.7.0\\n\\nCondiciones de Activaci\u00f3n\\nEl valor del elemento de configuraci\u00f3n es una cadena Base64 inv\u00e1lida.\\nLos archivos de log son legibles por usuarios distintos de los administradores de hive-site.xml.\\n\\nSeveridad: Baja\\nLa probabilidad de fallo en la decodificaci\u00f3n Base64 es baja.\\nLa fuga solo se activa cuando los logs de nivel Error est\u00e1n expuestos.\\n\\nRemediaci\u00f3n\\nApache Linkis 1.8.0 y versiones posteriores han reemplazado el log con contenido desensibilizado.\\nlogger.error(\u0027URL decode failed: {}\u0027, e.getMessage());   // Ya no se imprime str\\n\\nSe recomienda a los usuarios actualizar a la versi\u00f3n 1.8.0, que corrige el problema.\"}],\"affected\":[{\"source\":\"security@apache.org\",\"affectedData\":[{\"vendor\":\"Apache Software Foundation\",\"product\":\"Apache Linkis\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"1.0.0\",\"lessThanOrEqual\":\"1.7.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-20T15:06:21.815440Z\",\"id\":\"CVE-2025-59355\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0.0\",\"versionEndExcluding\":\"1.8.0\",\"matchCriteriaId\":\"42671BCA-BDD3-4D44-B2BC-5D022FD51E00\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2025/09/19/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2025/09/19/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-01-19T09:12:28.261Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59355\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-20T15:06:21.815440Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-20T15:07:13.192Z\"}}], \"cna\": {\"title\": \"Apache Linkis: Password Exposure\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Kyler\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"kinghao\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Le1a\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"kinghao\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Linkis\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.7.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj\", \"tags\": [\"patch\"]}, {\"url\": \"https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability.\\n\\nWhen org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + \\\"decode failed\\\", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.\\n\\n\\nAffected Scope\\nComponent: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.\\nVersion: Apache Linkis 1.0.0 \\u2013 1.7.0\\n\\n\\nTrigger Conditions\\nThe value of the configuration item is an invalid Base64 string.\\nLog files are readable by users other than hive-site.xml administrators.\\n\\n\\nSeverity: Low\\nThe probability of Base64 decoding failure is low.\\nThe leakage is only triggered when logs at the Error level are exposed.\\n\\nRemediation\\nApache Linkis 1.8.0 and later versions have replaced the log with desensitized content.\\nlogger.error(\\\"URL decode failed: {}\\\", e.getMessage());   // \\u4e0d\\u518d\\u8f93\\u51fa str\\n\\n\\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA vulnerability.\u003cbr\u003e\u003cbr\u003eWhen org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + \\\"decode failed\\\", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003cb\u003eAffected Scope\u003c/b\u003e\u003cbr\u003eComponent: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.\u003cbr\u003eVersion: Apache Linkis 1.0.0 \\u2013 1.7.0\u003c/p\u003e\u003cbr\u003e\u003cp\u003e\u003cb\u003eTrigger Conditions\u003c/b\u003e\u003cbr\u003eThe value of the configuration item is an invalid Base64 string.\u003cbr\u003eLog files are readable by users other than hive-site.xml administrators.\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003cb\u003eSeverity: Low\u003c/b\u003e\u003cbr\u003eThe probability of Base64 decoding failure is low.\u003cbr\u003eThe leakage is only triggered when logs at the Error level are exposed.\u003cbr\u003e\u003cbr\u003e\u003cb\u003eRemediation\u003c/b\u003e\u003cbr\u003eApache Linkis 1.8.0 and later versions have replaced the log with desensitized content.\u003cbr\u003elogger.error(\\\"URL decode failed: {}\\\", e.getMessage());   // \\u4e0d\\u518d\\u8f93\\u51fa str\u003cbr\u003e\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to version 1.8.0, which fixes the issue.\u003cbr\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"CWE-532 Insertion of Sensitive Information into Log File\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-01-19T08:37:24.364Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-59355\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-20T15:07:22.356Z\", \"dateReserved\": \"2025-09-12T13:49:22.918Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-01-19T08:37:24.364Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CNVD-2026-09792

Vulnerability from cnvd - Published: 2026-01-30

Title

Apache Linkis信息泄露漏洞（CNVD-2026-09792）

Description

Apache Linkis是美国阿帕奇（Apache）基金会的一款中间件产品，可以在上层应用和底层数据引擎之间建立起有效的连接。 Apache Linkis存在信息泄露漏洞，该漏洞源于Base64解码失败时在日志中记录完整输入参数字符串，攻击者可利用该漏洞导致敏感信息泄露。

Severity

中

Patch Name

Apache Linkis信息泄露漏洞（CNVD-2026-09792）的补丁

Patch Description

Apache Linkis是美国阿帕奇（Apache）基金会的一款中间件产品，可以在上层应用和底层数据引擎之间建立起有效的连接。 Apache Linkis存在信息泄露漏洞，该漏洞源于Base64解码失败时在日志中记录完整输入参数字符串，攻击者可利用该漏洞导致敏感信息泄露。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://linkis.apache.org/

Reference

https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h

Impacted products

Name
Apache linkis >=1.0.0，<1.8.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-59355",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-59355"
    }
  },
  "description": "Apache Linkis\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u4e2d\u95f4\u4ef6\u4ea7\u54c1\uff0c\u53ef\u4ee5\u5728\u4e0a\u5c42\u5e94\u7528\u548c\u5e95\u5c42\u6570\u636e\u5f15\u64ce\u4e4b\u95f4\u5efa\u7acb\u8d77\u6709\u6548\u7684\u8fde\u63a5\u3002\n\nApache Linkis\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eBase64\u89e3\u7801\u5931\u8d25\u65f6\u5728\u65e5\u5fd7\u4e2d\u8bb0\u5f55\u5b8c\u6574\u8f93\u5165\u53c2\u6570\u5b57\u7b26\u4e32\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u654f\u611f\u4fe1\u606f\u6cc4\u9732\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://linkis.apache.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-09792",
  "openTime": "2026-01-30",
  "patchDescription": "Apache Linkis\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u4e2d\u95f4\u4ef6\u4ea7\u54c1\uff0c\u53ef\u4ee5\u5728\u4e0a\u5c42\u5e94\u7528\u548c\u5e95\u5c42\u6570\u636e\u5f15\u64ce\u4e4b\u95f4\u5efa\u7acb\u8d77\u6709\u6548\u7684\u8fde\u63a5\u3002\r\n\r\nApache Linkis\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eBase64\u89e3\u7801\u5931\u8d25\u65f6\u5728\u65e5\u5fd7\u4e2d\u8bb0\u5f55\u5b8c\u6574\u8f93\u5165\u53c2\u6570\u5b57\u7b26\u4e32\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u654f\u611f\u4fe1\u606f\u6cc4\u9732\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Linkis\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2026-09792\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache linkis \u003e=1.0.0\uff0c\u003c1.8.0"
  },
  "referenceLink": "https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h",
  "serverity": "\u4e2d",
  "submitTime": "2026-01-30",
  "title": "Apache Linkis\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2026-09792\uff09"
}

FKIE_CVE-2025-59355

Vulnerability from fkie_nvd - Published: 2026-01-19 09:16 - Updated: 2026-06-17 09:45

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@apache.org	https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h	Mailing List
security@apache.org	https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj	Mailing List
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/09/19/1	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	linkis	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Linkis",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.7.0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "source": "security@apache.org"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:linkis:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "42671BCA-BDD3-4D44-B2BC-5D022FD51E00",
              "versionEndExcluding": "1.8.0",
              "versionStartIncluding": "1.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability.\n\nWhen org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + \"decode failed\", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.\n\n\nAffected Scope\nComponent: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.\nVersion: Apache Linkis 1.0.0 \u2013 1.7.0\n\n\nTrigger Conditions\nThe value of the configuration item is an invalid Base64 string.\nLog files are readable by users other than hive-site.xml administrators.\n\n\nSeverity: Low\nThe probability of Base64 decoding failure is low.\nThe leakage is only triggered when logs at the Error level are exposed.\n\nRemediation\nApache Linkis 1.8.0 and later versions have replaced the log with desensitized content.\nlogger.error(\"URL decode failed: {}\", e.getMessage());   // \u4e0d\u518d\u8f93\u51fa str\n\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad.\n\nCuando org.apache.linkis.metadata.util.HiveUtils.decode() falla al realizar la decodificaci\u00f3n Base64, registra la cadena completa del par\u00e1metro de entrada en el log a trav\u00e9s de logger.error(str + \u0027decode failed\u0027, e). Si el par\u00e1metro de entrada contiene informaci\u00f3n sensible como claves de Hive Metastore, las contrase\u00f1as en texto plano quedar\u00e1n en los archivos de log cuando la decodificaci\u00f3n falle, lo que resulta en una fuga de informaci\u00f3n.\n\nAlcance Afectado\nComponente: Campos sensibles en hive-site.xml (por ejemplo, javax.jdo.option.ConnectionPassword) u otros campos codificados en Base64.\nVersi\u00f3n: Apache Linkis 1.0.0 \u2013 1.7.0\n\nCondiciones de Activaci\u00f3n\nEl valor del elemento de configuraci\u00f3n es una cadena Base64 inv\u00e1lida.\nLos archivos de log son legibles por usuarios distintos de los administradores de hive-site.xml.\n\nSeveridad: Baja\nLa probabilidad de fallo en la decodificaci\u00f3n Base64 es baja.\nLa fuga solo se activa cuando los logs de nivel Error est\u00e1n expuestos.\n\nRemediaci\u00f3n\nApache Linkis 1.8.0 y versiones posteriores han reemplazado el log con contenido desensibilizado.\nlogger.error(\u0027URL decode failed: {}\u0027, e.getMessage());   // Ya no se imprime str\n\nSe recomienda a los usuarios actualizar a la versi\u00f3n 1.8.0, que corrige el problema."
    }
  ],
  "id": "CVE-2025-59355",
  "lastModified": "2026-06-17T09:45:58.130",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2025-59355",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-01-20T15:06:21.815440Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-01-19T09:16:02.107",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2025/09/19/1"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

GHSA-6VFR-P2HX-6V32

Vulnerability from github – Published: 2026-01-19 09:30 – Updated: 2026-01-21 01:03

Summary

Apache Linkis: Password Exposure

Details

When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.

Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 – 1.7.0

Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators.

Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed.

Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error("URL decode failed: {}", e.getMessage()); // 不再输出 str

Users are recommended to upgrade to version 1.8.0, which fixes the issue.

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.linkis:linkis-metadata"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T01:03:28Z",
    "nvd_published_at": "2026-01-19T09:16:02Z",
    "severity": "MODERATE"
  },
  "details": "When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + \"decode failed\", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.\n\n\nAffected Scope\nComponent: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.\nVersion: Apache Linkis 1.0.0 \u2013 1.7.0\n\n\nTrigger Conditions\nThe value of the configuration item is an invalid Base64 string.\nLog files are readable by users other than hive-site.xml administrators.\n\n\nSeverity: Low\nThe probability of Base64 decoding failure is low.\nThe leakage is only triggered when logs at the Error level are exposed.\n\nRemediation\nApache Linkis 1.8.0 and later versions have replaced the log with desensitized content.\nlogger.error(\"URL decode failed: {}\", e.getMessage());   // \u4e0d\u518d\u8f93\u51fa str\n\n\nUsers are recommended to upgrade to version 1.8.0, which fixes the issue.",
  "id": "GHSA-6vfr-p2hx-6v32",
  "modified": "2026-01-21T01:03:28Z",
  "published": "2026-01-19T09:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59355"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/linkis"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/09/19/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Linkis: Password Exposure"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-59355 (GCVE-0-2025-59355)

CNVD-2026-09792

FKIE_CVE-2025-59355

GHSA-6VFR-P2HX-6V32

Tags

Sightings

Nomenclature