CVE-2025-59355

MEDIUM EPSS 32.2%
Published Jan 19, 20265mo ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Jan 19, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + "decode failed", e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage. Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 – 1.7.0 Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators. Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed. Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error("URL decode failed: {}", e.getMessage()); // 不再输出 str Users are recommended to upgrade to version 1.8.0, which fixes the issue.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
32.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-532

Affected Products 1

VendorProductVersionRange
apachelinkis*≥1.0.0  –  <1.8.0

References 3

  • openwall.com http://www.openwall.com/lists/oss-security/2025/09/19/1
    Mailing ListThird Party Advisory
  • lists.apache.org https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h
    Mailing List
  • lists.apache.org https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj
    Mailing List

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.