kylin-server-base is vulnerable to privilege escalation. The vulnerability exists in the setParam
function in QueryService.java
, allowing an attacker to load any class through the Class.forName
function.
www.openwall.com/lists/oss-security/2022/01/06/4
github.com/advisories/GHSA-q656-g2x3-8cgh
github.com/apache/kylin/commit/e30ea70b7206ec7b1ef052ab5b904ec5344b1d4c
github.com/apache/kylin/pull/1695
github.com/apache/kylin/pull/1763
lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznw
www.openwall.com/lists/oss-security/2022/01/06/4