CVE-2025-59355
BaseFortify
Publication date: 2026-01-19
Last updated on: 2026-01-20
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | linkis | From 1.0.0 (inc) to 1.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Apache Linkis versions 1.0.0 to 1.7.0 when the HiveUtils.decode() method fails to perform Base64 decoding. In such cases, the method logs the entire input parameter string, which may contain sensitive information like Hive Metastore keys or plaintext passwords, at the error log level. If the input is an invalid Base64 string, this sensitive information is exposed in the log files, leading to information leakage.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to sensitive information such as Hive Metastore keys and plaintext passwords being recorded in log files. If these log files are accessible to unauthorized users, it can result in information leakage and potential compromise of sensitive credentials.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the log files of Apache Linkis for error entries related to Base64 decoding failures in the HiveUtils.decode() method. Specifically, look for log lines containing the phrase 'decode failed' along with the input parameter string, which may include sensitive information. You can use commands like 'grep "decode failed" /path/to/linkis/logs/*' to search for such error messages in the logs.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Apache Linkis to version 1.8.0 or later, where the logging behavior has been changed to avoid logging sensitive information by replacing the detailed input string with desensitized content. Additionally, ensure that log files are properly secured and not readable by unauthorized users to prevent information leakage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to information leakage by logging sensitive information such as plaintext passwords in log files when Base64 decoding fails. Such leakage of sensitive data may negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive information and proper handling of personal and confidential data. However, the vulnerability is of low severity and is triggered only under specific conditions. Upgrading to Apache Linkis version 1.8.0 or later mitigates this issue by desensitizing the log content.