org.apache.kylin:kylin-spark-test (=4.0.0-alpha), org.apache.kylin:kylin-tool-assembly (>=2.1.0 <=4.0.0-alpha) +2 more potentially affected by CVE-2022-24697 via org.apache.kylin:kylin-server-base (>=2.1.0 <=4.0.0-alpha)

org.apache.kylin:kylin-server-base MAVEN version =2.1.0, =2.1.0, =1.1.0, =1.1.0, =2.4.0 Source cves: CVE-2022-24697 Source advisory: OSV:GHSA-PPXX-M926-G569...

org.apache.kylin:kylin-spark-test (=4.0.0-alpha), org.apache.kylin:kylin-tool-assembly (>=2.1.0 <=4.0.0-alpha) +2 more potentially affected by CVE-2022-44621 via org.apache.kylin:kylin-server-base (>=2.1.0 <=4.0.0-alpha)

org.apache.kylin:kylin-server-base MAVEN version =2.1.0, =2.1.0, =1.1.0, =1.1.0, =2.4.0 Source cves: CVE-2022-44621 Source advisory: OSV:GHSA-W9RV-XMF7-X3GH...

Privilege Escalation

kylin-server-base is vulnerable to privilege escalation. The vulnerability exists in the setParam function in QueryService.java, allowing an attacker to load any class through the Class.forName function...

org.apache.kylin:kylin-tool-assembly (=3.0.0) potentially affected by CVE-2020-1937 via org.apache.kylin:kylin-server-base (=3.0.0)

org.apache.kylin:kylin-server-base MAVEN version =3.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.kylin:kylin-server-base and may be impacted: - org.apache.kylin:kylin-tool-assembly =3.0.0 Source cves: CVE-2020-1937 Source advisory:...

org.apache.kylin:kylin-tool-assembly (>=2.1.0 <=2.6.4), org.apache.ranger:ranger-kylin-plugin (>=1.1.0 <=2.2.0) +1 more potentially affected by CVE-2020-1937 via org.apache.kylin:kylin-server-base (>=2.1.0 <=2.6.4)

org.apache.kylin:kylin-server-base MAVEN version =2.1.0, =2.1.0, =1.1.0, =1.1.0, =2.2.0 Source cves: CVE-2020-1937 Source advisory: OSV:GHSA-7HMH-8GWV-MFVQ...

org.apache.kylin:kylin-tool-assembly (>=2.1.0 <=3.0.2), org.apache.ranger:ranger-kylin-plugin (>=1.1.0 <=2.2.0) +1 more potentially affected by CVE-2020-13926 via org.apache.kylin:kylin-server-base (>=2.1.0 <=3.0.2)

org.apache.kylin:kylin-server-base MAVEN version =2.1.0, =2.1.0, =1.1.0, =1.1.0, =2.2.0 Source cves: CVE-2020-13926 Source advisory: OSV:GHSA-HX5G-8HQ2-8X4W...

org.apache.kylin:kylin-tool-assembly (>=2.1.0 <=3.0.2), org.apache.ranger:ranger-kylin-plugin (>=1.1.0 <=2.2.0) +1 more potentially affected by CVE-2020-13925 via org.apache.kylin:kylin-server-base (>=2.1.0 <=3.0.2)

org.apache.kylin:kylin-server-base MAVEN version =2.1.0, =2.1.0, =1.1.0, =1.1.0, =2.2.0 Source cves: CVE-2020-13925 Source advisory: OSV:GHSA-QWFW-GXX2-MMV2...

SQL Injection

kylin-server-base is vulnerable to SQL injection. SQL statements are concatenated and executed in the CLI or beeline when building new segments, allowing an attacker to inject and execute arbitrary SQL statements if system configurations are overwritten via rest APIs...

OS Command Injection

kylin-server-base is vulnerable to OS Command Injection. The vulnerability exists as the values of srcCfgUri, dstCfgUri, and projectName, in CubeService.java is not properly handled...

SQL Injection

kylin-server-base is vulnerable to SQL injection. User input to some RESTful APIs is not validated and sanitized before being concatenated to SQL queries. This allows an attacker to inject and execute arbitrary SQL statements in the database...