216.73.217.98

CVE-2025-29847

· Published 19/01/2026 09:16 · Modified 20/01/2026 16:16

Labels: CVE-2025-29847 2026-01-19CVE-2025-29847CWE-20[email protected]

Essential information

Published
19/01/2026 09:16
Modified
20/01/2026 16:16
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system's checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the "%" character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here:  https://lists.apache.org/[email protected]:2025-9:cve

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
apache / linkis cpe:2.3:a:apache:linkis:1.3.0-1.7.0:*:*:*:*:*:*:*
apache / linkis cpe:2.3:a:apache:linkis:1.8.0:*:*:*:*:*:*:*

References