CVE-2022-23848: Command injection in Alluxio

February 21, 2022 (updated March 1, 2022)

In Alluxio before 2.7.3, the logserver does not validate the input stream. NOTE: this is not the same as the CVE-2021-44228 Log4j vulnerability.

References

github.com/advisories/GHSA-j3ch-vjph-8q6v
nvd.nist.gov/vuln/detail/CVE-2022-23848
www.alluxio.io/download/releases/alluxio-2-7-3-release/

Code Behaviors & Features

Detect and mitigate CVE-2022-23848 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →