CVE-2025-29847

Description

A vulnerability in Apache Linkis.Problem DescriptionWhen using the JDBC engine and daWhen using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the systems checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters.Scope of ImpactThis issue affects Apache Linkis: from 1.3.0 through 1.7.0.Severity levelmoderateSolutionContinuously check if the connection information contains the % character; if it does, perform URL decoding.Users are recommended to upgrade to version 1.8.0, which fixes the issue.More questions about this vulnerability can be discussed here: https://lists.apache.org/listdev@linkis.apache.org:2025-9:cve

Risk Information

Base Score

7.5

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

Exploitation Probability

0.123

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2025-29847 are fixed in Apache-linkis 1.8.0	Windows
Vulnerabilities CVE-2025-29847 are fixed in Apache-linkis for Linux 1.8.0	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234