CVE-2025-59355

Description

A vulnerability.When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + decode failed, e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage.Affected ScopeComponent: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.Version: Apache Linkis 1.0.0 1.7.0Trigger ConditionsThe value of the configuration item is an invalid Base64 string.Log files are readable by users other than hive-site.xml administrators.Severity: LowThe probability of Base64 decoding failure is low.The leakage is only triggered when logs at the Error level are exposed.RemediationApache Linkis 1.8.0 and later versions have replaced the log with desensitized content.logger.error(URL decode failed: {}, e.getMessage()); // strUsers are recommended to upgrade to version 1.8.0, which fixes the issue.

Risk Information

Base Score

6.5

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score

Exploitation Probability

0.047

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2025-59355 are fixed in Apache - linkis-metadata 1.8.0	Windows
Vulnerabilities CVE-2025-59355 are fixed in Apache - linkis-metadata for Linux 1.8.0	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234