Kylin Security Vulnerabilities and Issues — Kylin CVE List

Lucene search

ApacheKylin

9 matches found

CVE•added 2022/12/30 11:15 a.m.•99 views

CVE-2022-43396

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

8.8CVSS9.2AI score0.55949EPSS

CVE•added 2022/10/13 1:15 p.m.•85 views

CVE-2022-24697

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command...

9.8CVSS9.2AI score0.55949EPSS

CVE•added 2022/01/06 1:15 p.m.•83 views

CVE-2021-36774

Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue aff...

6.5CVSS6.6AI score0.00829EPSS

CVE•added 2022/12/30 11:15 a.m.•83 views

CVE-2022-44621

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.

9.8CVSS9.8AI score0.00705EPSS

CVE•added 2022/01/06 1:15 p.m.•73 views

CVE-2021-45458

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password ...

7.5CVSS7.5AI score0.00649EPSS

CVE•added 2022/01/06 1:15 p.m.•72 views

CVE-2021-45456

Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass th...

9.8CVSS9.8AI score0.58099EPSS

CVE•added 2022/01/06 1:15 p.m.•67 views

CVE-2021-31522

Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

9.8CVSS9.5AI score0.05797EPSS

CVE•added 2022/01/06 1:15 p.m.•67 views

CVE-2021-45457

In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

7.5CVSS7.4AI score0.01172EPSS

CVE•added 2022/01/06 1:15 p.m.•63 views

CVE-2021-27738

All request mappings in StreamingCoordinatorController.java handling /kylin/api/streaming_coordinator/* REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification ...

7.5CVSS7.6AI score0.0243EPSS