Apache Kylin OS Command Injection Vulnerability

Apache Kylin is an open source distributed analytic data warehouse from the Apache Foundation. The product mainly provides SQL query interface and multidimensional analysis (OLAP) on top of Hadoop/Spark. Apache kylin is vulnerable to operating system command injection, which stems from the fact that before executing some commands using the project name passed in by the user, Apache kylin checks the legitimacy of the project, and the content being checked does not match the content used as shell command parameters in the There is a mismatch between what is being checked and what is used as a shell command parameter in DiagnosisService. An attacker could exploit this vulnerability to cause an illegal project name to pass the check and perform the following steps, leading to a command injection vulnerability.