Severity: low
Affected versions:
- Apache Linkis 1.0.0 through 1.7.0
Description:
A vulnerability.
When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64
decoding, it records the complete input parameter string in the log via
logger.error(str + "decode failed", e). If the input parameter contains
sensitive information such as Hive Metastore keys, plaintext passwords will be
left in the log files when decoding fails, resulting in information leakage.
Affected Scope
Component: Sensitive fields in hive-site.xml (e.g.,
javax.jdo.option.ConnectionPassword) or other fields encoded in Base64.
Version: Apache Linkis 1.0.0 – 1.7.0
Trigger Conditions
The value of the configuration item is an invalid Base64 string.
Log files are readable by users other than hive-site.xml administrators.
Severity: Low
The probability of Base64 decoding failure is low.
The leakage is only triggered when logs at the Error level are exposed.
Remediation
Apache Linkis 1.8.0 and later versions have replaced the log with desensitized
content.
logger.error("URL decode failed: {}", e.getMessage()); // 不再输出 str
Users are recommended to upgrade to version 1.8.0, which fixes the issue.
Credit:
Kyler (finder)
kinghao (analyst)
Le1a (remediation developer)
kinghao (remediation reviewer)
References:
https://linkis.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-59355
