21 matches found
CVE-2020-1956
Apache Kylin CVE-2020-1956 affects 2.3.0 and releases up to 2.6.5 and 3.0.1, where REST APIs concatenate user input into OS commands, enabling likely remote code execution with high impact. Connected documents confirm vulnerable versions and the underlying command injection in the REST layer; som...
CVE-2020-13925
CVE-2020-13925 is a Kylin REST API command injection issue affecting 2.3.x through 3.1.0. The root cause is REST endpoints concatenating user input into OS commands, enabling remote command execution on vulnerable servers. The CVE is linked to CVE-2020-1956 disclosures describing similar REST‑bas...
CVE-2020-1937
CVE-2020-1937 (Kylin) concerns an injection flaw in Kylin’s RESTful APIs where user input is concatenated into SQL queries. The available sources consistently describe a SQL injection risk enabling an attacker to run arbitrary database statements through vulnerable endpoints. The technical detail...
CVE-2022-43396
CVE-2022-43396 involves a command injection in Apache Kylin caused by a blacklist bypass in the configuration parameter kylin.engine.spark-cmd (conf). The vulnerability arises from allowing attackers to influence the command line, enabling arbitrary OS command execution via cube designer/command ...
CVE-2020-13937
CVE-2020-13937 - Apache Kylin involves an unauthenticated REST API that exposes Kylin’s configuration information across multiple versions (2.0.0 up to 4.0.0-alpha). The connected documents confirm an information-disclosure risk via an exposed configuration API, enabling potential leakage of conf...
CVE-2022-24697
CVE-2022-24697 affects Apache Kylin’s cube designer function and enables command injection/RCE by manipulating the configuration overwrite menu. The root cause described across Red Hat advisories is improper input filtering; an attacker can influence command execution by controlling the kylin.eng...
CVE-2021-36774
CVE-2021-36774 concerns Apache Kylin. The connected sources describe an issue where reading data from other databases via JDBC allows a hacker-controlled MySQL server to execute arbitrary code inside Kylin server processes, via certain properties in the MySQL JDBC driver. Affected are Apache Kyli...
CVE-2022-44621
CVE-2022-44621 relates to Apache Kylin and concerns the Diagnosis Controller. The underlying issue is missing parameter validation in the controller, enabling potential command injection through HTTP requests. Multiple sources describe this as a high-severity, remote-execution risk (CVSS v3.1 bas...
CVE-2021-45456
CVE-2021-45456 affects Apache Kylin 4.0.0. Multiple connected sources describe a mismatch between the legitimacy check for the project name and the shell command argument in DiagnosisService, enabling potential command injection. The issue is network-exploitable with a very high CVSS score (3.1: ...
CVE-2021-45458
Apache Kylin’s PasswordPlaceholderConfigurer uses a cipher initialized with a hardcoded key and IV, risking decryption of passwords stored in configuration. Affected: Kylin 2.x ≤ 2.6.6; 3.x ≤ 3.1.2; 4.x ≤ 4.0.0. Impact: potential password exposure. Remediation/fix details are not provided in the ...
CVE-2021-45457
CVE-2021-45457 (Apache Kylin) is a Cross-Origin Resource Sharing misconfiguration where credentials are allowed from any origin, affecting Kylin 2.x (2.6.6 and earlier), 3.x (3.1.2 and earlier), and 4.x (4.0.0 and earlier). The underlying issue is unsafe handling of cross-origin requests with cre...
CVE-2021-31522
CVE-2021-31522 affects Apache Kylin: Kylin can receive user input and load arbitrary classes via Class.forName(...). Affected are Kylin 2.x (2.6.6 and earlier), 3.x (3.1.2 and earlier), and 4.x (4.0.0 and earlier). Root cause is unsafe dynamic class loading triggered by user input, exposing poten...
CVE-2020-13926
Kylin is susceptible to SQL injection in the segment-building process. The vulnerability arises because Hive SQL (HQL) used during segment creation is assembled from a mix of system configurations and user-overwritable REST API inputs, allowing an attacker to inject and execute arbitrary SQL stat...
CVE-2021-27738
CVE-2021-27738 concerns Apache Kylin prior to 3.1.2 where all request mappings in StreamingCoordinatorController.java under /kylin/api/streaming_coordinator/* lacked input validation and security checks. This enables unauthenticated users to issue arbitrary requests (e.g., assigning/unassigning s...
CVE-2024-48944
Apache Kylin is affected by a Server-Side Request Forgery (SSRF) in the /kylin/api/xxx/diag endpoint. The issue requires two preconditions: the attacker has admin access to a Kylin server and a second internal host exposes the /kylin/api/xxx/diag API, allowing forging requests to internal service...
CVE-2025-30067
Apache Kylin contains a Code Injection vulnerability (CVE-2025-30067) that can allow arbitrary code execution in the application context if an attacker has system or project admin access and can alter JDBC connection configuration. The issue affects Kylin 4.0.0 through 5.0.1. Mitigation provided ...
CVE-2024-23590
The CVE-2024-23590 entry describes a Session Fixation vulnerability in Apache Kylin, affecting versions 2.0.0 through 4.x. The root cause, as stated across sources, is improper handling of session identifiers in the web interface, which could enable session hijacking. The material recommends upgr...
CVE-2023-29055
CVE-2023-29055 affects Apache Kylin 2.0.0–4.0.3, where the Server Config web interface can display the contents of kylin.properties. When accessed over HTTP (or other plaintext protocols), network sniffers may intercept the payload and access potential server-side credentials. The root cause is t...
CVE-2025-61735
Apache Kylin is affected by a Server-Side Request Forgery (SSRF) vulnerability in versions 4.0.0 through 5.0.2. The issue arises from insufficient authentication to verify request sources, potentially allowing an attacker to probe internal/intranet resources. The recommended remediation is to upg...
CVE-2025-61733
CVE-2025-61733 describes an authentication bypass in Apache Kylin. Affected versions are 4.0.0 through 5.0.2; remediation is to upgrade to 5.0.3, which fixes the issue. Connected sources consistently state an authentication bypass via an alternate path or channel affecting the Kylin API (notably ...
CVE-2025-61734
CVE-2025-61734 affects Apache Kylin (versions 4.0.0 through 5.0.2). The issue is an information-disclosure vulnerability caused by inadequate protection of sensitive information, allowing files or directories to be accessible to external parties. The vulnerability is addressed by upgrading to Apa...